In association with heise online

21 October 2011, 14:57

Adobe remedies webcam spy hole in Flash

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Flash Adobe has closed a clickjacking hole in Adobe Flash that attackers could use to spy on victims via their camera and microphone without being noticed. Feross Aboukhadijeh, a student at Stanford University, discovered the flaw and published details in his blog last Tuesday.

Normally, cameras and microphones are disabled, and only users can turn them on. To trick users into enabling them, attackers can present a simple clicking game on a specially crafted web site. The users click on a number of buttons with their mouse but in the background, the web site opens the Flash Player Settings Manager in a hidden iFrame. As the user clicks, those clicks are passed to the settings menu and the user gives the attackers the right to access video and audio input devices.

This attack scenario was originally presented back in 2008. At the time, Adobe remedied the problem by amending the settings page on their web servers – the addition of a few lines of JavaScript have prevented the page from being loaded in an iFrame (frame busting) since then. But Adobe overlooked one detail, that Flash files (.swf) can also be directly embedded in an iFrame. By embedding the Flash component of the Settings Manager in an iFrame, the web site content that normally surrounds the Flash file is not loaded and the frame busting code is never loaded or run.

Adobe has now fixed the problem with an update to the Flash Player settings file hosted on Adobe's web servers. Users do not need to update their Flash Player installations.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit