A security flaw in Adobe Flash allowed websites to take control of webcams and microphones.
Thursday Adobe said that it resolved a nasty "clickjacking" Mac-only issue with Adobe Flash that allowed websites to access a visitor’s webcam without permission. The company said the problem actually resided within the Flash Player Settings Manager SWF file hosted on the Adobe website. No further details were released other than user intervention and/or Flash Player product updating is not required.
The exploit was first exposed on Tuesday by researcher and Stanford computer science major Feross Aboukhadijeh. He discovered that webcam and microphone abduction was performed by using a variation of the normal clickjacking technique. He reportedly told Adobe about the gaping hole after it was first discovered, but once a few weeks passed by without any kind of response, he decided to bring the exploit out in the open to force Adobe's hand.
Looks like it worked.
"I stumbled upon this blog post entitled 'Malicious camera spying using ClickJacking' where the author shows how to clickjack the Adobe Flash Settings Manager page to enable users’ webcams," Feross said on Tuesday. "He accomplishes this by putting the whole settings page into an iframe and making it invisible. Then, unsuspecting users play a little game and unwittingly enable their webcams. Adobe quickly added framebusting code to the Settings Manager page (why wasn’t it there in the first place?), and the attack stopped working."
But now there's nothing to fear, Mac users: Adobe has supposedly fixed the problem. Still, for those interested on how the webcam kidnapping worked, Feross has provided a 5-minute demonstration, as seen below.