Adobe remedies webcam spy hole in Flash
Adobe has closed a clickjacking hole in Adobe Flash that attackers could use to spy on victims via their camera and microphone without being noticed. Feross Aboukhadijeh, a student at Stanford University, discovered the flaw and published details in his blog last Tuesday.
Normally, cameras and microphones are disabled, and only users can turn them on. To trick users into enabling them, attackers can present a simple clicking game on a specially crafted web site. The users click on a number of buttons with their mouse but in the background, the web site opens the Flash Player Settings Manager in a hidden iFrame. As the user clicks, those clicks are passed to the settings menu and the user gives the attackers the right to access video and audio input devices.
Adobe has now fixed the problem with an update to the Flash Player settings file hosted on Adobe's web servers. Users do not need to update their Flash Player installations.