A COMPUTER SCIENCE STUDENT has uncovered an Adobe Flash exploit that allows web sites to hijack users' webcams with just a few clicks.
Feross Aboukhadijeh, a student at Stanford University, happened across the security loophole when searching for popular websites to employ clickjacking on. He discovered a previously reported exploit that uses an iframe of the Adobe Flash Settings Manager to secretly authorise changes to settings, but Adobe quickly addressed this by adding framebusting code to prevent the page being loaded in an iframe.
However, Aboukhadijeh discovered that Adobe had ignored the possibility that the settings .SWF file could still be loaded in an iframe, allowing him to completely bypass the framebusting code that Adobe had added to prevent this exploit.
The result is that users who click on certain links, or even just hover over them, will in fact be authorising the web site to turn on and access the user's webcam. The user does not see the settings file hidden in the iframe and does not know that what might seem like a normal button or link on a web site is actually a guise for the real button on the invisible settings page beneath, and they certainly won't know that their webcam has been turned on and someone might now be watching them.
Aboukhadijeh has so far only been able to get this exploit to work on the Firefox and Safari web browsers on Mac computers, primarily due to the ease of which the iframed files can be made transparent. He believes, however, that this attack could still be carried out on other web browsers and operating systems when using a more complicated technique of layering iframes.
Aboukhadijeh informed Adobe about the exploit several weeks ago through the Stanford Security Lab, but received no response, so he decided to post it publicly. As expected, Adobe issued a response to media queries immediately, saying it was working on a fix. Since then Adobe said it has released a behind the scenes fix to the Settings Manager, probably involving more framebusting code to stop the file from being loaded in an iframe.
While this might fix this exploit, we have to wonder how long it will be before someone else finds another workaround that effectively taps the same vulnerability, and if Flash really poses the kind of security risk that many people have long thought. µ