Net game turns PC into undercover surveillance zombie

Smile, your webcam has been clickjacked


Underscoring the severity of a new class of vulnerability known as clickjacking, a blogger has created a proof-of-concept game that uses a PC's video cam and microphone to secretly spy on the player.

The demo, which is available here, appears to be a simple game that tests how quickly a user can click on a series of moving targets. Behind the scenes, it combines a generic clickjacking attack with weaknesses in Adobe's Flash technology to record the player using the PC's video camera and microphone.

The proof of concept is a powerful demonstration of the spooky implications behind clickjacking. The vulnerability allows malicious webmasters to control the links visitors click on. Once lured to a booby-trapped page, a user may think he's clicking on a link that leads to Google - when in fact it takes him to a money transfer page, a banner ad that's part of a click-fraud scheme, or any other destination the attacker chooses.

It plagues every major browser, Adobe Flash, and many other browsing technologies, according to Jeremiah Grossman and Robert "RSnake" Hansen, the researchers who first sounded the clickjacking alarm. The pair was scheduled to detail the threat two weeks ago at at OWASP's AppSec 2008 Conference in New York, but canceled the talk at the request of Adobe.

The unnamed blogger behind the game said his proof of concept used Flash, but the writer went on to say that the same thing could have been achieved using Java, SilverLight, or Dynamic Hyper Text Markup Language.

In our tests, the the proof-of-concept didn't work until after we enabled our video cam in the Windows XP Device Manager. Even then, we had trouble getting it to work with Firefox, possibly because we had the NoScript extension running (but disabled). But we had no such problems when using Internet Explorer. Within 40 seconds of pressing start, there we were playing the game. The words "Your camera was clickjacked" appeared in red.

Doubting Thomases will say the answer is to disable cams, mics, and other devices that can be misused or to simply uninstall Flash. But this is to miss the larger point: Right now, unknown web masters throughout the world can control the links you click on simply by luring you to their page. The list of ways this can be abused - we're thinking government spying, corporate espionage, cyber stalking, click fraud, and even creepier things we won't bother to mention - is limited only by the imagination. Turning off the webcam may limit the damage, but it doesn't remove the underlying threat.

"I had doubts about publishing this, but, if I could have understand [sic] it so are the bad guys, so it's better to know about it," the blogger writes.

After an earlier version of this story was published, Adobe issued this advisory giving step-by-step instructions for working around the threat while a fix is pending. The company also said it expected to patch the vulnerability by the end of October. So far, makers of Internet Explorer, Firefox, Java, Safari, SilverLight and the horde of other programs vulnerable to clickjacking have been mum. ®

Broader topics


Other stories you might like

  • 381,000-plus Kubernetes API servers 'exposed to internet'
    Firewall isn't a made-up word from the Hackers movie, people

    A large number of servers running the Kubernetes API have been left exposed to the internet, which is not great: they're potentially vulnerable to abuse.

    Nonprofit security organization The Shadowserver Foundation recently scanned 454,729 systems hosting the popular open-source platform for managing and orchestrating containers, finding that more than 381,645 – or about 84 percent – are accessible via the internet to varying degrees thus providing a cracked door into a corporate network.

    "While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended and these instances are an unnecessarily exposed attack surface," Shadowserver's team stressed in a write-up. "They also allow for information leakage on version and build."

    Continue reading
  • A peek into Gigabyte's GPU Arm for AI, HPC shops
    High-performance platform choices are going beyond the ubiquitous x86 standard

    Arm-based servers continue to gain momentum with Gigabyte Technology introducing a system based on Ampere's Altra processors paired with Nvidia A100 GPUs, aimed at demanding workloads such as AI training and high-performance compute (HPC) applications.

    The G492-PD0 runs either an Ampere Altra or Altra Max processor, the latter delivering 128 64-bit cores that are compatible with the Armv8.2 architecture.

    It supports 16 DDR4 DIMM slots, which would be enough space for up to 4TB of memory if all slots were filled with 256GB memory modules. The chassis also has space for no fewer than eight Nvidia A100 GPUs, which would make for a costly but very powerful system for those workloads that benefit from GPU acceleration.

    Continue reading
  • GitLab version 15 goes big on visibility and observability
    GitOps fans can take a spin on the free tier for pull-based deployment

    One-stop DevOps shop GitLab has announced version 15 of its platform, hot on the heels of pull-based GitOps turning up on the platform's free tier.

    Version 15.0 marks the arrival of GitLab's next major iteration and attention this time around has turned to visibility and observability – hardly surprising considering the acquisition of OpsTrace as 2021 drew to a close, as well as workflow automation, security and compliance.

    GitLab puts out monthly releases –  hitting 15.1 on June 22 –  and we spoke to the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, about what will be added to version 15 as time goes by. During a chat with the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, The Register was told that this was more where dollars were being invested into the product.

    Continue reading

Biting the hand that feeds IT © 1998–2022