Adobe Flash bug allow spying Webcam hole


The flaw was disclosed in 2008 and can be exploited to turn on people's webcams or microphones without their knowledge. Attack involved putting the Adobe Flash Settings Manager page into an iFrame and masking it with a game, so that when the user clicked on the buttons he would actually change the settings and turn on the webcam.

Adobe is working on a fix for a Flash Player vulnerability that can be exploited via clickjacking techniques to turn on people's webcams or microphones without their knowledge.The issue was discovered by a Stanford University computer science student named Feross Aboukhadijeh who based his proof-of-concept exploit on a similar one disclosed back in 2008 by an anonymous researcher.

Once it was made public, Adobe fixed the issue by adding framebusting code to the Settings Manager page. But now, Stanford University computer science student Feross Aboukhadijeh managed to bypass the framebusting JavaScript code by simply putting the settings SWF file into the iFrame, and made the clickjacking attack possible again.

In essence this is the same 2008 vulnerability exploited through a slightly different attack vector. "I was really surprised to find out that this actually works," Aboukhadijeh said.

He said that he emailed Adobe about the problem a few weeks ago, but got no response. However, the company contacted him after the public disclosure to inform him that they are working on a fix which will be deployed on their end and won't require users to update their Flash Player installations.

Using an SWF file hosted on Adobe's servers to modify Flash Player settings instead of a local interface is something that has generated problems before. For example, privacy advocates have complained in the past that this makes clearing Local Shared Objects (LSOs), commonly known as Flash cookies, difficult and confusing.