Bug in Flash Player allowed Mac webcam spying

Adobe issues patch for 'clickjacking' hole


Updated Engineers on Thursday patched a hole in Adobe's ubiquitous Flash Player that allowed website operators to silently eavesdrop on visitors' webcam and microphone feeds without permission.

To be attacked, visitors needed to do no more than visit a malicious website and click on a handful of buttons like the ones in this live demonstration. Without warning, the visitor's camera and microphone were activated and the video and audio intercepted. The attack closely resembled a separate Flash-based attack on webcams from 2008 using a class of exploit known as clickjacking.

Adobe said on Thursday it was planning to fix the vulnerability, which stems from flaws in the Flash Player Settings Manager. The panel, which is used to designate which sites may access feeds from an enduser's camera and mic, is delivered in the SWF format used by Flash. Feross Aboukhadijeh, a computer science student at Stanford University, discovered he could embed the SWF file as an invisible iframe and superimpose misleading graphics on top that tricked visitors into making changes to the underlying privacy settings.

“I've seen a bunch of clickjacking attacks in the wild, but I've never seen any attacks where the attacker iframes a SWF file from a remote domain to clickjack it – let alone a SWF file as important as one that controls access to your webcam and mic!” Aboukhadijeh wrote in a blog post.

Because the settings manager is hosted on Adobe servers, engineers were able to close the hole without updating enduser software, company spokeswoman Wiebke Lips said. The change was pushed out early in the afternoon on Thursday, two days after Aboukhadijeh published his findings.

Shortly after security researchers Jeremiah Grossman and Robert “RSnake” Hansen documented clickjacking in 2008, Adobe patched Flash to blunt attacks that exploited the program to surreptitiously spy on the millions of people who use it. Engineers closed the hole by changing the behavior of Flash security dialog box when it's set to be transparent.

Aboukhadijeh was able to revive the attack by exploiting the settings manager, which until Thursday's fix, still allowed important settings to be made while it was in transparent mode.

He said his demonstration worked only against Macs when using Firefox or Safari, and that a CSS opacity bug prevented it from working on other operating systems and browsers. It wouldn't have been surprising if additional research uncovered ways to make the attack more universal.

Aboukhadijeh went on to say he went public after reporting the vulnerability to Adobe and getting no reply.

“It's been a few weeks and I haven't heard anything from Adobe yet,” he said. “I think it's worth sharing it with the world now, so that Adobe pays attention and fixes it more quickly.” ®

This article was updated throughout to reflect that Adobe has issued a patch.


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022