Oxymoron of the Day: Humble Steve Ballmer
|
|
|
Adobe Flash exploit lets websites hijack your webcam
A COMPUTER SCIENCE STUDENT has uncovered an Adobe Flash exploit that allows web sites to hijack users' webcams with just a few clicks.
Feross Aboukhadijeh, a student at Stanford University, happened across the security loophole when searching for popular websites to employ clickjacking on. He discovered a previously reported exploit that uses an iframe of the Adobe Flash Settings Manager to secretly authorise changes to settings, but Adobe quickly addressed this by adding framebusting code to prevent the page being loaded in an iframe.
However, Aboukhadijeh discovered that Adobe had ignored the possibility that the settings .SWF file could still be loaded in an iframe, allowing him to completely bypass the framebusting code that Adobe had added to prevent this exploit.
The result is that users who click on certain links, or even just hover over them, will in fact be authorising the web site to turn on and access the user's webcam. The user does not see the settings file hidden in the iframe and does not know that what might seem like a normal button or link on a web site is actually a guise for the real button on the invisible settings page beneath, and they certainly won't know that their webcam has been turned on and someone might now be watching them.
Aboukhadijeh has so far only been able to get this exploit to work on the Firefox and Safari web browsers on Mac computers, primarily due to the ease of which the iframed files can be made transparent. He believes, however, that this attack could still be carried out on other web browsers and operating systems when using a more complicated technique of layering iframes.
Aboukhadijeh informed Adobe about the exploit several weeks ago through the Stanford Security Lab, but received no response, so he decided to post it publicly. As expected, Adobe issued a response to media queries immediately, saying it was working on a fix. Since then Adobe said it has released a behind the scenes fix to the Settings Manager, probably involving more framebusting code to stop the file from being loaded in an iframe.
While this might fix this exploit, we have to wonder how long it will be before someone else finds another workaround that effectively taps the same vulnerability, and if Flash really poses the kind of security risk that many people have long thought. µ
Tags: Security
Share this:
Share
just fixed this using some hitech duct tape over the web cam on my laptop. :) I believe this to be the fix adobe will be suggesting on their site in the near future. lalalalalala
you can only change certain settings by using the application on the macromedia site, so you would at least temporarily need to trust it to set up flash.
So that's why some might add an exception.
Besides, not everybody uses noscript, only the somewhat tech-savvy and informed people.
takes care of that (even on MAC) - why would anyone trust macromedia.com (or adobe)
I like his enthusiasm, pleasant to see.
That exploit would not work on my system though, but it's not about me, just about getting videos of the shenanigans of police chiefs and politicians, and videos of pretty girls maybe, just to relax you a bit after seeing those shenanigans you understand.