Flash bug allows spying of website visitors through webcam

A slight variation of a previously designed clickjacking attack that used a Adobe Flash vulnerability has once again made it possible for website administrators to surreptitiously spy on their visitors by turning on the user’s computer webcam and microphone.

The original attack involved putting the Adobe Flash Settings Manager page into an iFrame and masking it with a game, so that when the user clicked on the buttons he would actually change the settings and turn on the webcam.

Once it was made public, Adobe fixed the issue by adding framebusting code to the Settings Manager page. But now, Stanford University computer science student Feross Aboukhadijeh managed to bypass the framebusting JavaScript code by simply putting the settings SWF file into the iFrame, and made the clickjacking attack possible again.

“It works in all versions of Adobe Flash that I tested. I’ve confirmed that it works in the Firefox and Safari for Mac browsers,” says Aboukhadijeh on his blog, where he made public the PoC attack code after having received no answer from Adobe after notifying them of the flaw.

According to him, a CSS bug doesn’t allow the attack to work on Chrome for Mac and most browser on Windows and Linux.

“Although every browser and OS is theoretically susceptible to this attack, the process to activate the webcam requires multiple highly targeted clicks, which is difficult for an attacker to pull off. I’m not sure how useful this technique would actually be in the wild, but I hope that Adobe fixes it soon so we don’t have to find out,” he says.

A day after his blog post was published, Adobe piped up to say that they are working on a fix for the bug and that, if everything goes well, it should be up and running by the end of the week.

“Note that this issue does not involve/require a product update and/or customer action. (In other words, there will not be a security bulletin.) It’s a fix we are making on our end online, and it is going to be pushed live as soon as QA has completed their testing,” commented an Adobe spokeswoman for CNet, adding that Aboukhadijeh didn’t receive a response sooner because he hadn’t emailed the Adobe Product Security Incident Response Team directly, but sent the message to an employee who was on a sabbatical.

UPDATE: Adobe has fixed the flaw on Thursday afternoon US Pacific time. No product update or customer interaction is required.

Don't miss