Flash vulnerability allows silent activation of your webcam and mic

first_imgFeross Aboukhadijeh, Stanford University computer science student and software developer, has discovered a new vulnerability in Adobe Flash that can silently activate your webcam and microphone when visiting a website. In so doing, the person in control of the website performing the hijack can both watch and listen to you.The vulnerability is to do with Adobe‘s Flash Player Settings Manager page–that little box that you can pop-up as a user and change preferences to do with Flash. Adobe seems to have overlooked the fact it is possible to embed the settings page in an iFrame while at the same time rendering it invisible to the user.Using a form of clickjacking, the unsuspecting user can be made to click on settings within the manager panel, but without seeing or knowing they are doing it. The end result is the user gives the site permission to turn on and view or hear webcam and microphone output.Feross demonstrates a proof of concept in the video below using a simple clicking buttons game. As you can see, with only four clicks required his game turns on the webcam on his machine. A malicious site could do this, but without the user ever knowing.The vulnerability has been confirmed as working on Firefox and Safari for Mac. Thankfully, a CSS opacity bug means Windows users aren’t susceptible, and neither are Chrome users on Mac, although this is only because of the CSS bug, otherwise it would work.Feross reported the issue to Adobe several weeks ago, but never heard anything back. Regardless of how useful or not this is to a hacker, by making it public hopefully Adobe can close the hole and stop it being a potential threat.Read more at Feross.org and see it in action using a (safe) live demolast_img read more