Sign in with
Sign up | Sign in

Adobe Flash Exploit Gave Websites Access to Webcams

By - Source: Adobe | B 34 comments

A security flaw in Adobe Flash allowed websites to take control of webcams and microphones.

Thursday Adobe said that it resolved a nasty "clickjacking" Mac-only issue with Adobe Flash that allowed websites to access a visitor’s webcam without permission. The company said the problem actually resided within the Flash Player Settings Manager SWF file hosted on the Adobe website. No further details were released other than user intervention and/or Flash Player product updating is not required.

The exploit was first exposed on Tuesday by researcher and Stanford computer science major Feross Aboukhadijeh. He discovered that webcam and microphone abduction was performed by using a variation of the normal clickjacking technique. He reportedly told Adobe about the gaping hole after it was first discovered, but once a few weeks passed by without any kind of response, he decided to bring the exploit out in the open to force Adobe's hand.

Looks like it worked.

"I stumbled upon this blog post entitled 'Malicious camera spying using ClickJacking' where the author shows how to clickjack the Adobe Flash Settings Manager page to enable users’ webcams," Feross said on Tuesday. "He accomplishes this by putting the whole settings page into an iframe and making it invisible. Then, unsuspecting users play a little game and unwittingly enable their webcams. Adobe quickly added framebusting code to the Settings Manager page (why wasn’t it there in the first place?), and the attack stopped working."

"But alas, the same attack is actually still possible," he added. "Instead of iframing the whole settings page (which contains the framebusting code), I just iframe the settings SWF file. This let me bypass the framebusting JavaScript code, since we don’t load the whole page — just the remote .SWF file. I was really surprised to find out that this actually works!"

But now there's nothing to fear, Mac users: Adobe has supposedly fixed the problem. Still, for those interested on how the webcam kidnapping worked, Feross has provided a 5-minute demonstration, as seen below.

HOW TO: Spy on the Webcams of Your Website Visitors

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Top Comments
  • 21 Hide
    house70 , October 22, 2011 2:50 AM
    Weren't Macs supposed to be secure?
  • 15 Hide
    AbdullahG , October 22, 2011 3:14 AM
    house70Weren't Macs supposed to be secure?

    Just a myth Apple started. In fact, they are somewhat less secure than Windows. Most Mac users don't have an antivirus installed, not to mention Macs are shipped with their firewall off. The reason for few virus infections on Mac is because of how small they are compared to Windows users.

    Funny to hear Apple fans say that Macs don't get viruses though :D 
  • 13 Hide
    halcyon , October 22, 2011 3:44 AM
    AbdullahGFunny to hear Apple fans say that Macs don't get viruses though


    Do Mac users still say that? People also used to say the Earth was flat.
Other Comments
    Display all 34 comments.
  • 6 Hide
    ben850 , October 22, 2011 2:36 AM
    Crap like this is why I always keep my webcam facing the wall when it's not in use, and I have a piece of tape over my laptop's cam.
  • 21 Hide
    house70 , October 22, 2011 2:50 AM
    Weren't Macs supposed to be secure?
  • 15 Hide
    AbdullahG , October 22, 2011 3:14 AM
    house70Weren't Macs supposed to be secure?

    Just a myth Apple started. In fact, they are somewhat less secure than Windows. Most Mac users don't have an antivirus installed, not to mention Macs are shipped with their firewall off. The reason for few virus infections on Mac is because of how small they are compared to Windows users.

    Funny to hear Apple fans say that Macs don't get viruses though :D 
  • 13 Hide
    halcyon , October 22, 2011 3:44 AM
    AbdullahGFunny to hear Apple fans say that Macs don't get viruses though


    Do Mac users still say that? People also used to say the Earth was flat.
  • 4 Hide
    Ragnar-Kon , October 22, 2011 3:47 AM
    AbdullahGJust a myth Apple started. In fact, they are somewhat less secure than Windows. Most Mac users don't have an antivirus installed, not to mention Macs are shipped with their firewall off. The reason for few virus infections on Mac is because of how small they are compared to Windows users.Funny to hear Apple fans say that Macs don't get viruses though

    It is a myth. In a way they are more secure, but only because there is simply less people making viruses for them, and less users to spread those viruses.
    And yes Macs used to ship without the firewalls turns on, but I believe that has changed now. At least, the firewalls were turned on the 7 Mac Pros I set up this past week at work.

    But anyway, at least Adobe is working on it.
  • 6 Hide
    AbdullahG , October 22, 2011 4:11 AM
    halcyonDo Mac users still say that? People also used to say the Earth was flat.

    Yup. I know quite a lot of people (most of which are my peers) who prefer Macs over PC and claim Macs don't have viruses...

    Ragnar-KonIt is a myth. In a way they are more secure, but only because there is simply less people making viruses for them, and less users to spread those viruses.And yes Macs used to ship without the firewalls turns on, but I believe that has changed now. At least, the firewalls were turned on the 7 Mac Pros I set up this past week at work.But anyway, at least Adobe is working on it.


    I guess, though it seems as though a Mac exploits can be extremely lethal. Invasion of privacy through a webcam is pretty extreme for exploits, not to mention the exploding battery exploit. They still seem unlikely to spread and become common issues.
  • -5 Hide
    amk-aka-Phantom , October 22, 2011 4:56 AM
    halcyonDo Mac users still say that? People also used to say the Earth was flat.


    Halcyon, STOP defending Mac users. You don't realise you're an exception. Most of Mac users ARE ignorant illiterate arrogant stubborn zombies who refuse to understand the fact their favourite fruity company is brainwashing them to believe in their innovation instead of really innovating. Defending them - especially in the manner you do - makes you look like a fool, and from all your posts in our home thread I know you aren't, so I don't see why you have to do this.
  • -1 Hide
    vaguedreams , October 22, 2011 7:08 AM
    Why the MAC hate? This is purely Adobe's issue.
  • 9 Hide
    JOSHSKORN , October 22, 2011 7:37 AM
    Blah blah Macs are more secure than Windows, Macs don't get viruses and Macs don't freeze.

    Yeah if you believe all that, there is no hope for you, but you're probably too busy playing Angry Birds on your iPhone to even read this, much less understand how technology actually works.
  • 3 Hide
    molo9000 , October 22, 2011 8:46 AM
    Adobe Flash exploits are nothing new and happen constantly. This one is big news, just because it's Apple news.

    btw: He says it doesn't work "on most browsers on Windows". Does that mean it works on at least one?

    AbdullahGI guess, though it seems as though a Mac exploits can be extremely lethal. Invasion of privacy through a webcam is pretty extreme for exploits, not to mention the exploding battery exploit.


    Accessing the webcam is actually less extreme than an exploit that allows you to hijack a computer. (Which is the goal of most exploits)
    The exploding battery exploit was a myth. Nobody actually managed to blow up a battery by modifying the firmware.
  • 4 Hide
    phatboe , October 22, 2011 8:47 AM
    Can someone tell me why did adobe change it so that the user preferences are accessible though a web page? Flash settings didn't used to be like that, did they? Making that change seems stupid to me.
  • 7 Hide
    de5_Roy , October 22, 2011 9:49 AM
    ah good ol' adobe flash. whenever you need an application to turn your system vulnurable, adobe flash always delivers.
    this isn't about mac, this is about adobe flash compromising your system(whichever platform it may be).
    good thing(unless it opens up another flash vulnerability) adobe solved the issue.
    i still can't change flash player preferences and the cache options always reset to default. :( 
    i hope html5 kicks flash's ass.
  • 3 Hide
    de5_Roy , October 22, 2011 9:51 AM
    Quote:
    He reportedly told Adobe about the gaping hole after it was first discovered, but once a few weeks passed by without any kind of response, he decided to bring the exploit out in the open to force Adobe's hand.

    Looks like it worked.

    lol serves adobe right.
  • 3 Hide
    Anonymous , October 22, 2011 11:06 AM
    @phatboe

    no, the setting was always on adobe website, but few months ago they now have that setting on the control panel also,
  • 4 Hide
    hairystuff , October 22, 2011 11:35 AM
    Security through obscurity, never a good practice, and thats also why I liked the old firewire isights, they had a physical shutter on them to prevent perving eyes.
  • 0 Hide
    Wish I Was Wealthy , October 22, 2011 1:37 PM
    I'm all okay, I only use pc stuff anyway. So this just shows you that Apple gear is not always safe like they tell you it is.
  • 2 Hide
    nukemaster , October 22, 2011 2:07 PM
    Webcam, people still use those? I still like the old fashion go see people in real life. Then again, I use phones to make calls too.
  • 3 Hide
    ojas , October 22, 2011 2:31 PM
    this is why i use a pc, don't keep my web cam connected (hardly used anyway), and mute my mike.

    vaguedreamsWhy the MAC hate? This is purely Adobe's issue.


    we're hating on Macs (because it's fun, among other more important things) and not on Media Access Control. :p 
  • 4 Hide
    serendipiti , October 22, 2011 2:37 PM
    Anyone remembers Titanic ? I think computer security is little like that. You get vulnerable when you think you don't need to care. Some OSes or platforms are more secure simply because force you to use secure practices (remember UAC on Vista). Modern platforms have been designed with security issues already learned and fixed, so it has little sense to discuss the security on platforms as something inherent to the platform. The approach is taken from the user point of view (tell what you want about Mac / Linux lacking AV, but Windows relied on 3rd party software...). I agree that the number of threats relates to the number of users, but security has to do with your own practices and not the platform itself, because sometimes the security flaw comes from social engineering (guessing your password, etc...). Don't want to take out the guilt from adobe, they need to fix that. invent is always easier and faster that the society adapts to the invention, this has to do with human nature and how we will use the invention, just some little time to get our habits clean and safe (as we do with our house keys).
  • 4 Hide
    bobusboy , October 22, 2011 3:50 PM
    halcyonDo Mac users still say that? People also used to say the Earth was flat.



    People still say the earth is flat....

    http://theflatearthsociety.org/cms/
Display more comments
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS