Feeds

Bug in Flash Player allowed Mac webcam spying

Adobe issues patch for 'clickjacking' hole

The Essential Guide to IT Transformation

Updated Engineers on Thursday patched a hole in Adobe's ubiquitous Flash Player that allowed website operators to silently eavesdrop on visitors' webcam and microphone feeds without permission.

To be attacked, visitors needed to do no more than visit a malicious website and click on a handful of buttons like the ones in this live demonstration. Without warning, the visitor's camera and microphone were activated and the video and audio intercepted. The attack closely resembled a separate Flash-based attack on webcams from 2008 using a class of exploit known as clickjacking.

Adobe said on Thursday it was planning to fix the vulnerability, which stems from flaws in the Flash Player Settings Manager. The panel, which is used to designate which sites may access feeds from an enduser's camera and mic, is delivered in the SWF format used by Flash. Feross Aboukhadijeh, a computer science student at Stanford University, discovered he could embed the SWF file as an invisible iframe and superimpose misleading graphics on top that tricked visitors into making changes to the underlying privacy settings.

“I've seen a bunch of clickjacking attacks in the wild, but I've never seen any attacks where the attacker iframes a SWF file from a remote domain to clickjack it – let alone a SWF file as important as one that controls access to your webcam and mic!” Aboukhadijeh wrote in a blog post.

Because the settings manager is hosted on Adobe servers, engineers were able to close the hole without updating enduser software, company spokeswoman Wiebke Lips said. The change was pushed out early in the afternoon on Thursday, two days after Aboukhadijeh published his findings.

Shortly after security researchers Jeremiah Grossman and Robert “RSnake” Hansen documented clickjacking in 2008, Adobe patched Flash to blunt attacks that exploited the program to surreptitiously spy on the millions of people who use it. Engineers closed the hole by changing the behavior of Flash security dialog box when it's set to be transparent.

Aboukhadijeh was able to revive the attack by exploiting the settings manager, which until Thursday's fix, still allowed important settings to be made while it was in transparent mode.

He said his demonstration worked only against Macs when using Firefox or Safari, and that a CSS opacity bug prevented it from working on other operating systems and browsers. It wouldn't have been surprising if additional research uncovered ways to make the attack more universal.

Aboukhadijeh went on to say he went public after reporting the vulnerability to Adobe and getting no reply.

“It's been a few weeks and I haven't heard anything from Adobe yet,” he said. “I think it's worth sharing it with the world now, so that Adobe pays attention and fixes it more quickly.” ®

This article was updated throughout to reflect that Adobe has issued a patch.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.