Adobe Patches Flash Video Snooper Vulnerability

A fix has been made to a flaw that allowed “clickjackers” to take control of Webcams and microphones

Adobe has patched a Flash Player bug that could allow Websites to turn on a visitor’s camera and microphone without permission.

The flaw was first reported in 2008 and Adobe soon fixed it by changing how the Flash security dialog box behaved when it was displayed in hidden mode.

Primarily A Mac Attack

This month, on 18 October, Feross Aboukhadijeh showed how it could still be exploited on Firefox and Safari for Apple’s Mac computers but he said that Windows browsers did not seem to work the same way with cascading style sheets (CSS).

Aboukhadijeh set the Adobe Flash security dialog box as an invisible iFrame (a frame within a normal Webpage), and superimposed a normal Webpage over the top. This could be used to trick by showing different buttons on the front screen that corresponded to those on the Flash security screen. By clicking on the seemingly normal screen, the button pushes were actually transferred to the buttons on the hidden screen.

This allowed his program to secretly store his Web address to be allowed to use the camera and microphone functions at any time. This is a classic method used by “clickjackers” to trick unwary users into giving away passwords and other useful information.

“Although every browser and OS is theoretically susceptible to this attack, the process to activate the Webcam requires multiple highly targeted clicks, which is difficult for an attacker to pull off,” admitted Aboukhadijeh. “I’m not sure how useful this technique would actually be in the wild, but I hope that Adobe fixes it soon so we don’t have to find out.”

He reported the flaw to Adobe a few weeks before writing his blog but did not hear anything back from the company. “I think it’s worth sharing it with the world now, so that Adobe pays attention and fixes it more quickly,” he said.

It seems that Adobe had been paying attention because on 19 October the company said a fix had been made. A blog by Wendy Poland, a member of the Adobe Product Security Incident Response Team, wrote: “Adobe is aware of a report describing a clickjacking issue related to the online Flash Player Settings Manager. We have resolved the issue with a change to the Flash Player Settings Manager SWF file hosted on the Adobe Website. No user action or Flash Player product update are required.”