Adobe to fix Flash flaw that allows webcam spying
The flaw is similar to one disclosed in 2008
IDG News Service - Adobe is working on a fix for a Flash Player vulnerability that can be exploited via clickjacking techniques to turn on people's webcams or microphones without their knowledge.
The issue was discovered by a Stanford University computer science student named Feross Aboukhadijeh who based his proof-of-concept exploit on a similar one disclosed back in 2008 by an anonymous researcher.
Technically known as user interface (UI) redressing, clickjacking is a type of attack that combines legitimate Web programming features, like CSS opacity and positioning, with social engineering to trick users into initiating unwanted actions.
For example, clickjacking techniques have been used to trick Facebook users into liking rogue pages or posting spam on their walls by making Like and Share buttons transparent and superimposing them over legitimate-looking ones.
The 2008 webcam spying attack involved loading the Adobe Flash Player Settings Manager, which is actually a page hosted on Adobe's website, in an invisible iframe and tricking users into enabling webcam and microphone access through it.
Adobe responded at the time by inserting code into the Flash Player Settings Manager page that prevents it from being iframed. However, Aboukhadijeh realized that the settings manager is actually an SWF (Shockwave Flash) file and that loading it directly into an iframe, instead of the entire page, would bypass Adobe's frame-busting code.
In essence this is the same 2008 vulnerability exploited through a slightly different attack vector. "I was really surprised to find out that this actually works," Aboukhadijeh said.
He said that he emailed Adobe about the problem a few weeks ago, but got no response. However, the company contacted him after the public disclosure to inform him that they are working on a fix which will be deployed on their end and won't require users to update their Flash Player installations.
Using an SWF file hosted on Adobe's servers to modify Flash Player settings instead of a local interface is something that has generated problems before. For example, privacy advocates have complained in the past that this makes clearing Local Shared Objects (LSOs), commonly known as Flash cookies, difficult and confusing.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Who's afraid of the big (data) bad wolf? Survive the big data storm by getting ahead of integration and governance functional requirements This paper provides a detailed review of the best practices clients should consider before embarking on their big data integration projects.
- Understanding big data so you can act with confidence Automating information integration and governance and employing it at the point of data creation helps organizations boost confidence in their big data.
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Desktop Apps White Papers | Webcasts