Multi-Platform This (or any) website might spy on you thanks to an Adobe Flash flaw - Techist - Tech Forum

Go Back   Techist - Tech Forum > Techist Forum Information > News > Software
Click Here to Login
Closed Thread
Thread Tools Display Modes
Old 10-20-2011, 09:05 PM   #1 (permalink)
Destroyer of headlines
Megatron's Avatar
Join Date: Dec 2010
Location: Headlines
Posts: 629
Default This (or any) website might spy on you thanks to an Adobe Flash flaw

Has your webcam turned on without your permission? You may be the target of a new Flash exploit.

Adobe is scrambling to fix a vulnerability that may allow an attacker to turn on your webcam and microphone to spy on you. Stanford University computer science student Feross Aboukhadijeh discovered the flaw, which is found in every version of Flash and can be exploited in Safari and Firefox on Mac OS X and some browsers within Windows (Chrome appears to be unaffected).

The attacker exploits the bug by using a form of "clickjacking". The term refers to a process where an attacker uses clicks on a seemingly innocuous webpage in order to perform malicious functions. Aboukhadijeh hid the Adobe camera settings within an invisible iFrame. From here, the clicks required to enable the webcam are hidden behind clicks in a simple Flash game.

"Iíve seen a bunch of clickjacking attacks in the wild, but Iíve never seen any attacks where the attacker iframes a SWF file from a remote domain to clickjack it ó let alone a .SWF file as important as one that controls access to your webcam and mic", Aboukhadijeh says.

Here's how it's done: a page exists on the Adobe website called "Websites Privacy Settings Panel", which controls security settings for your webcam and microphone. Each of those clicks in Aboukhadijeh's game are in front of an element in the panel. While you think you're clicking as part of the game, you're actually changing settings on that panel.

Aboukhadijeh says that the flaw does not work on most Windows browsers and Chrome due to a bug that affects opacity within CSS files. "I discovered a workaround that involves multiple iframes, but havenít implemented it yet since itís a bit complicated", he explains. "But, Iím pretty sure that itís possible to make it work everywhere, given enough time".

Adobe says it is in the process of fixing the issue, and it may not involve a fix to the software since the flaw uses a page on its own website to make the exploit work. It expects to have the issue resolved by the end of the week.

This week's discovery isn't the first time that Adobe Flash has had to deal with clickjacking issues -- a similar problem was discovered in October 2008. That issue required a software fix to remedy, however.

Megatron is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Adobe confirms remote code-execution flaw in Reader (again) Osiris Viruses, Spyware and Malware 0 08-05-2010 07:35 AM
Fix For Adobe Critical Flaw Coming Jan. 12th Osiris Viruses, Spyware and Malware 0 12-16-2009 09:32 PM
Install Adobe Flash Without Adobe DLM Osiris Tips, Tricks & Tutorials 0 12-09-2009 01:34 PM
Adobe Flash Flaw Could Give Attackers Full Control Osiris Viruses, Spyware and Malware 2 03-03-2009 09:01 PM
Adobe Warns of Critical, Unpatched Security Flaw Osiris Viruses, Spyware and Malware 0 02-20-2009 10:54 AM

Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 11:29 AM.

Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2018, vBulletin Solutions, Inc.