Adobe to fix Flash flaw that allows webcam spying

The flaw is similar to one disclosed in 2008

Adobe is working on a fix for a Flash Player vulnerability that can be exploited via clickjacking techniques to turn on people's webcams or microphones without their knowledge.

The issue was discovered by a Stanford University computer science student named Feross Aboukhadijeh who based his proof-of-concept exploit on a similar one disclosed back in 2008 by an anonymous researcher.

Technically known as user interface (UI) redressing, clickjacking is a type of attack that combines legitimate Web programming features, like CSS opacity and positioning, with social engineering to trick users into initiating unwanted actions.

For example, clickjacking techniques have been used to trick Facebook users into liking rogue pages or posting spam on their walls by making Like and Share buttons transparent and superimposing them over legitimate-looking ones.

The 2008 webcam spying attack involved loading the Adobe Flash Player Settings Manager, which is actually a page hosted on Adobe's website, in an invisible iframe and tricking users into enabling webcam and microphone access through it.

The lure used by the exploit was a JavaScript game that required users to click various innocent-looking buttons on the screen. Some of the clicks were part of the game, while others were redirected to the invisible iframe.

Adobe responded at the time by inserting code into the Flash Player Settings Manager page that prevents it from being iframed. However, Aboukhadijeh realized that the settings manager is actually an SWF (Shockwave Flash) file and that loading it directly into an iframe, instead of the entire page, would bypass Adobe's frame-busting code.

In essence this is the same 2008 vulnerability exploited through a slightly different attack vector. "I was really surprised to find out that this actually works," Aboukhadijeh said.

He said that he emailed Adobe about the problem a few weeks ago, but got no response. However, the company contacted him after the public disclosure to inform him that they are working on a fix which will be deployed on their end and won't require users to update their Flash Player installations.

Using an SWF file hosted on Adobe's servers to modify Flash Player settings instead of a local interface is something that has generated problems before. For example, privacy advocates have complained in the past that this makes clearing Local Shared Objects (LSOs), commonly known as Flash cookies, difficult and confusing.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Topics: peripherals, online safety, applications, Adobe Systems, webcams, software, flash, Exploits / vulnerabilities, privacy, security, Desktop security, browsers, Access control and authentication
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?