File Under: Software & Tools

Hackers Are Watching You: Flash Clickjacking Vulnerability Exposes Webcams and Mics

A serious Flash Player vulnerability was exposed Thursday by online security experts. The clickjacking vulnerability gives hackers access to see and hear into your home via your web cam and microphone with only a single victim-initiated click.

The vulnerability affects all browsers with Flash Player installed, approximately 99% of browsers (that means you). Adobe has responded with the following instructions, which turns off all webcam and mic access from the internet:

  1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
  2. Select the “Always deny” button.
  3. Select ‘Confirm’ in the resulting dialog.
  4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html.

Jeremiah Greene and Robert Hanson from White Hat Security found the exploit over a month ago and were prepared to present the information to a OWASP conference. Adobe caught wind of the vulnerability and delayed the presentation to give its developers a chance to patch up the bug. Now, Greene and Hanson have gone public with the information.

A video demonstration of the attack can be found on Greene’s blog and below.

Clickjacking Camjack Demonstration from Jeremiah Grossman on Vimeo.

‘Clickjacking’ is a a newly discovered threat which invisibly places poisonous links invisibly under your mouse. When you click anywhere on the infected web page, the invisible link is activated. Unsuspecting users could then unknowingly install viruses or malware thinking they clicked on a legitimate link instead.

The attacks use existing widely used technology, such as JavaScript events, which make the abuse widely effective and difficult to prevent. The only true way to protect yourself from being a victim of clickjacking would be to turn off JavaScript via browser preferences or plug-ins like NoScript.

See Also: