Has your webcam turned on without your permission? You may be the target of a new Flash exploit.
Adobe is scrambling to fix a vulnerability that may allow an attacker to turn on your webcam and microphone to spy on you. Stanford University computer science student Feross Aboukhadijeh discovered the flaw, which is found in every version of Flash and can be exploited in Safari and Firefox on Mac OS X and some browsers within Windows (Chrome appears to be unaffected).
The attacker exploits the bug by using a form of “clickjacking”. The term refers to a process where an attacker uses clicks on a seemingly innocuous webpage in order to perform malicious functions. Aboukhadijeh hid the Adobe camera settings within an invisible iFrame. From here, the clicks required to enable the webcam are hidden behind clicks in a simple Flash game.
“I’ve seen a bunch of clickjacking attacks in the wild, but I’ve never seen any attacks where the attacker iframes a SWF file from a remote domain to clickjack it — let alone a .SWF file as important as one that controls access to your webcam and mic”, Aboukhadijeh says.
Here’s how it’s done: a page exists on the Adobe website called “Websites Privacy Settings Panel“, which controls security settings for your webcam and microphone. Each of those clicks in Aboukhadijeh’s game are in front of an element in the panel. While you think you’re clicking as part of the game, you’re actually changing settings on that panel.
Aboukhadijeh says that the flaw does not work on most Windows browsers and Chrome due to a bug that affects opacity within CSS files. “I discovered a workaround that involves multiple iframes, but haven’t implemented it yet since it’s a bit complicated”, he explains. “But, I’m pretty sure that it’s possible to make it work everywhere, given enough time”.
Adobe says it is in the process of fixing the issue, and it may not involve a fix to the software since the flaw uses a page on its own website to make the exploit work. It expects to have the issue resolved by the end of the week.
This week’s discovery isn’t the first time that Adobe Flash has had to deal with clickjacking issues — a similar problem was discovered in October 2008. That issue required a software fix to remedy, however.