A computer science student at Stanford University has discovered a hole in Adobe Flash that could be used by an attacker to furtively enable the victim’s camera and microphone. The vulnerability is not in Flash itself, but the Adobe Flash Settings Manager page. More details about the vulnerability can be found after the jump.
According to Feross Aboukhadijeh , the Stanford University student who discovered this hole, despite having notified Adobe a few weeks back he has yet to hear back from them. It’s this lack of response that prompted him to make the vulnerability public.
He has even posted a video showing the hole being exploited using a clickjacking attack which involves iframing of the settings SWF file on the above-named page. But luckily for Windows users, it only appears to be working on Firefox and Safari for Mac. Ironically, other browsers owe their immunity from this exploit to “a weird CSS opacity bug” in them.