A Stanford University student recently discovered a security flaw with Adobe’s Flash Player that allowed malicious users to activate your webcam and microphone without your knowledge. They could then tap into the video and audio to watch and listen to your every move.
OK, that sounded a lot less sensationalist in my head. Unfortunately, up until a few days ago, this exploit very much existed and Adobe was working feverishly on a fix.
Feross Aboukhadijeh, the aforementioned Stanford student, wrote about the flaw on October 18, after unsuccessfully contacting Adobe about it. The resulting media noise from the post forced the company into releasing a fix just two days later.
The problem itself wasn’t a glaring hole in Flash’s security, just an ingenious way of taking advantage of its (once) normal behaviour. Before the update, it was possible to hide the settings dialogue for Flash inside an iframe — a HTML element that allows you to embed one page inside another.
The dialogue can then be made invisible, and the user tricked into clicking not-at-all dangerous-looking buttons or widgets that actually sit over the settings window. Seeing as this window controls whether or not your webcam and/or microphone are enabled in Flash (as well as a bunch of other Flash-related settings), it would be very simple to fool a user into activating them.
The technique, more commonly known as “click-jacking”, isn’t new, but this was a very novel, if devious, way of using it.
A harmless proof-of-concept is available on Aboukhadijeh’s website, though it only works in Firefox and Safari. Indeed, I couldn’t get it working in Chrome.