Flash Flaw Allows Remote Activation of Webcam, Mic

Pulkit Chandna

A computer science student at Stanford University has discovered a hole in Adobe Flash that could be used by an attacker to furtively enable the victim’s camera and microphone. The vulnerability is not in Flash itself, but the Adobe Flash Settings Manager page. More details about the vulnerability can be found after the jump.

According to Feross Aboukhadijeh , the Stanford University student who discovered this hole, despite having notified Adobe a few weeks back he has yet to hear back from them. It’s this lack of response that prompted him to make the vulnerability public.

He has even posted a video showing the hole being exploited using a clickjacking attack which involves iframing of the settings SWF file on the above-named page. But luckily for Windows users, it only appears to be working on Firefox and Safari for Mac. Ironically, other browsers owe their immunity from this exploit to “a weird CSS opacity bug” in them.

“Instead of iframing the whole settings page (which contains the framebusting code), I just iframe the settings SWF file,” he said in a blog post. “This let me bypass the framebusting JavaScript code, since we don’t load the whole page — just the remote .SWF file. I was really surprised to find out that this actually works!”

Around the web