Adobe Flash Exploit Gave Websites Access to Webcams

Thursday Adobe said that it resolved a nasty "clickjacking" Mac-only issue with Adobe Flash that allowed websites to access a visitor’s webcam without permission. The company said the problem actually resided within the Flash Player Settings Manager SWF file hosted on the Adobe website. No further details were released other than user intervention and/or Flash Player product updating is not required.

The exploit was first exposed on Tuesday by researcher and Stanford computer science major Feross Aboukhadijeh. He discovered that webcam and microphone abduction was performed by using a variation of the normal clickjacking technique. He reportedly told Adobe about the gaping hole after it was first discovered, but once a few weeks passed by without any kind of response, he decided to bring the exploit out in the open to force Adobe's hand.

Looks like it worked.

"I stumbled upon this blog post entitled 'Malicious camera spying using ClickJacking' where the author shows how to clickjack the Adobe Flash Settings Manager page to enable users’ webcams," Feross said on Tuesday. "He accomplishes this by putting the whole settings page into an iframe and making it invisible. Then, unsuspecting users play a little game and unwittingly enable their webcams. Adobe quickly added framebusting code to the Settings Manager page (why wasn’t it there in the first place?), and the attack stopped working."

"But alas, the same attack is actually still possible," he added. "Instead of iframing the whole settings page (which contains the framebusting code), I just iframe the settings SWF file. This let me bypass the framebusting JavaScript code, since we don’t load the whole page — just the remote .SWF file. I was really surprised to find out that this actually works!"

But now there's nothing to fear, Mac users: Adobe has supposedly fixed the problem. Still, for those interested on how the webcam kidnapping worked, Feross has provided a 5-minute demonstration, as seen below.

HOW TO: Spy on the Webcams of Your Website Visitors

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
34 comments
    Your comment
    Top Comments
  • Weren't Macs supposed to be secure?
    21
  • house70Weren't Macs supposed to be secure?

    Just a myth Apple started. In fact, they are somewhat less secure than Windows. Most Mac users don't have an antivirus installed, not to mention Macs are shipped with their firewall off. The reason for few virus infections on Mac is because of how small they are compared to Windows users.

    Funny to hear Apple fans say that Macs don't get viruses though :D
    15
  • AbdullahGFunny to hear Apple fans say that Macs don't get viruses though


    Do Mac users still say that? People also used to say the Earth was flat.
    13
  • Other Comments
  • Crap like this is why I always keep my webcam facing the wall when it's not in use, and I have a piece of tape over my laptop's cam.
    6
  • Weren't Macs supposed to be secure?
    21
  • house70Weren't Macs supposed to be secure?

    Just a myth Apple started. In fact, they are somewhat less secure than Windows. Most Mac users don't have an antivirus installed, not to mention Macs are shipped with their firewall off. The reason for few virus infections on Mac is because of how small they are compared to Windows users.

    Funny to hear Apple fans say that Macs don't get viruses though :D
    15