Flash Hole Allows for Spycam

Friday, October 21, 2011 @ 02:10 PM gHale

A flaw in Adobe Flash can allow a website administrator to remotely and silently turn on a visitor’s webcam and microphone.

This trick works on in all the versions of Flash in most Mac browsers, said Feross Aboukhadijeh, a computer science student at Stanford University.

Mac Malware Disables Protection
ICS Threat Brewing; Target Unclear
Old Becomes New: DLL Loading is Back
Weak Sites Victimize Visitors

Windows and Linux browsers are not susceptible, probably because of a CSS bug, but added an adaptation would not be too difficult to accomplish.

This method has seen use before, but since Adobe added a framebusting JavaScript code, the whole thing seemed fixed.

The old method relied on inserting the Adobe Flash Settings Manager page into an invisible iframe, masking it with a game or something that would urge users to click. Feross managed to bypass this restriction by putting only the SWF file into an iframe, instead of the whole settings page.

Because Adobe didn’t pay attention to his warnings he decided to make the whole thing public.

“I reported this vulnerability to Adobe a few weeks ago through the Stanford Security Lab. It’s been a few weeks and I haven’t heard anything from Adobe yet. I think it’s worth sharing it with the world now, so that Adobe pays attention and fixes it more quickly,” he said.

The publication of the concept resulted in a quick reply.

“Engineering is currently working on a fix. Note that this issue does not involve/require a product update and/or customer action. It’s a fix we are making on our end online, and it is going to be pushed live as soon as QA has completed their testing,” said Adobe spokeswoman Wiebke Lips.

Leave a Reply

You must be logged in to post a comment.