It looks like the bug never saw malicious use in the wild, because the developers who noticed it alerted Apple and kept the bug secret while it was fixed. Like other clickjacking attacks, the most likely use is to get a user to inadvertently click an ad. Although, an even more dangerous example is shown to harvest passwords.
If the StreetView and Maps additions in the latest iPhone software wasn’t enough to get you to download the free update, let this attack be reason enough.
A serious Flash Player vulnerability was exposed Thursday by online security experts. The clickjacking vulnerability gives hackers access to see and hear into your home via your web cam and microphone with only a single victim-initiated click.
Jeremiah Greene and Robert Hanson from White Hat Security found the exploit over a month ago and were prepared to present the information to a OWASP conference. Adobe caught wind of the vulnerability and delayed the presentation to give its developers a chance to patch up the bug. Now, Greene and Hanson have gone public with the information.
A video demonstration of the attack can be found on Greene’s blog and below.
‘Clickjacking’ is a a newly discovered threat which invisibly places poisonous links invisibly under your mouse. When you click anywhere on the infected web page, the invisible link is activated. Unsuspecting users could then unknowingly install viruses or malware thinking they clicked on a legitimate link instead.