«
»

Malicious camera spying using ClickJacking

Update: Adobe has fixed this issue by framebusting the Settings Manager pages. Now, 99.9% of the users are protected from this specific exploit. Congrats on the fast response. —-

Turn every browser into a surveillance zombie. The wet dream of every private eye and peeping tom. Imagine this scenario, you play a short game on the web and by doing that you unknowingly grant someone full access to your webcam and microphone.

I’ve made a live demo of it in here, this demo won’t listen or record any of your input.

If you don’t want to try it or don’t have a webcam connected, then check out the video.

When I’ve first heard about ClickJacking and how Adobe is concerned about it, I thought that the Flash Player Security Dialog must have been compromised. But the Security Dialog does a good job disabling itself when you try to mess with it’s visibility through DHTML. Unless there’s some 0-day issue with the Dialog it’s probably relatively safe.

The problem here is the Flash Player Setting Manager, this inheritance from Macromedia might be the Flash Player security Achilles heel.

I’ve written a quick and dirty Javascript game that exploit just that, and demonstrate how an attacker can get a hold of the user’s camera and microphone. This can be used, for example, with platform like ustream, justin and alike or to stream to a private server to create a malicious surveillance platform.

I’ve made it as a JS game to make it easier to understand, but, bear in mind that every Flash, Java, SilverLight, DHTML game or application can be used to achieve the same thing.

Some of the clicks are real game clicks other are jacked clicks. Every time the click is needed to be jacked the content simply move behind the iframe using z-index

I had doubts about publishing this, but, if I could have understand it so are the bad guys, so it’s better to know about it.

In this case Adobe could have just framebust the pages that holds the Settings Manager. There are two issues with frambusting in this case, it won’t solve all cases (legacy browsers for ex) and will force Adobe to rely on javascript.

Play it here, watch it here

Related posts:

  1. Thanx for not killing the Flash clipboard
  2. Mysteries Flash exploit is hijacking the clipboard?
  3. John Smith’s younger brother, Adam
  4. Security flaws in FLA files
  5. Bug in Internet Explorer security model when embedding Flash

This entry was posted on Tuesday, October 7th, 2008 at 9:09 am and is filed under ClickJacking, Flash Security, Games, Javascript, Safeloper, Security, Silverlight. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

67 Responses to “Malicious camera spying using ClickJacking”

« Older Comments
  1. El Clickjacking y como afecta a las instituciones « robert dice… says:
    October 20, 2008 at 8:43 pm

    [...] Usando el clickjackin para secuestrar una camara web. [...]

  2. Flash Security: Clickjacking the Webcam : TroyWorks says:
    October 20, 2008 at 8:49 pm

    [...] related Proof Of Concept at Guya shows how using clickjacking to grant access to the webcam in flash, it not longer works. Great job [...]

  3. Clickjacking Details | Small Business System says:
    October 22, 2008 at 4:02 am

    [...] count. Jeremiah and I got the final word today that it was fine to start talking about this due to the click jacking PoC against Flash that was released today (watch the video for a good demonstration) that essentially spilled the beans regarding several of [...]

  4. Application Security Talk » Clickjacking: Do you see what I see? says:
    November 2, 2008 at 5:02 pm

    [...] is appropriate for the attack, if you’re into espionage and voyeurism. The first public proof of concept that I found illustrates that an attacker could remotely use your webcam and/or microphone. [...]

  5. John aniime says:
    November 3, 2008 at 11:33 am

    Click Jacking has long since been called by search engine marketers… u need a new term.

    what click jacking really is is swapping in your own ads into someone elses page often by overlaying or using javascript or filtering their content

  6. Preventing Clickjacking with Framebusting - KeepItLocked.net says:
    November 7, 2008 at 8:26 pm

    [...] where users are fooled into unknowingly performing sensitive actions on external sites. It’s been demonstrated in several videos. Although it’s similar to cross-site request forgery, it can’t be prevented using [...]

  7. Moja prednáška na WebExpo Praha 2008 says:
    November 11, 2008 at 11:33 am

    [...] Malicious camera spying using ClickJacking [...]

  8. Packets of Consciousness » Clearjacking: So How Fun is This, Now? says:
    November 17, 2008 at 1:29 am

    [...] This comes quite handy now that more dangerous usages of clickjacking are being disclosed, such as enabling your microphone or your webcam behind your back to spy you through the interwebs. [...]

  9. Decapper says:
    January 9, 2009 at 12:41 pm

    Yeah I would hate for this too happen -http://www.pricelessweddings.com.au as I would be caught pants down :)

  10. Marco’s Webdev Notepad » Blog Archive » Clickjacking says:
    February 15, 2009 at 5:00 pm

    [...] action, please visit the blog post of Flash developer Guy Aharonovsky, where he demonstrates in a video how a user unintentionally changes his browser’s security settings while playing a JavaScript [...]

  11. Brown Tips » Blog Archive » What IS ClickJacking says:
    July 2, 2009 at 4:51 pm

    [...] is based on a new vulnerability discovered in Adobe’s Flash Software and published about on Guya.net, Rsnake’s Blog and Jerremiah Grossman’s [...]

  12. Prominent Security » Twitter, and the Popularity of Clickjacking. says:
    January 12, 2010 at 12:19 pm

    [...] first got my attention through this article I came across at Guya.net which exemplifies how a users webcam can become comprised by utilizing clickjacking to manipulate [...]

  13. travesti says:
    March 9, 2010 at 12:24 pm

    ction, please visit the blog post of Flash developer Guy Aharonovsky, where he demonstrates in a video how a user unintentionally changes his browser’s security settings while playing a JavaScript

  14. Flash + Internet = Big Brother is watching you says:
    May 7, 2010 at 2:09 pm

    [...] vidéo est disponible sur le blog Guya.net. Adobe a pour sa part fait preuve de réactivité en corrigeant en partie le problème (en [...]

  15. Dipl.-Inform. Carsten Eilers says:
    May 13, 2010 at 7:03 am

    Clickjacking – Angriffe auf Seiten ohne Schwachstellen…

    Clickjacking ist eine recht neue Bedrohung für Webanwendungen, die in ihrer kurzen Geschichte aber schon mehrmals Schaden angerichtet hat. 2008 entdeckt, 2009 erstmals für Angriffe ausgenutzt, 2010 verfeinert – das ist doch eine steile Kar…

  16. Dipl.-Inform. Carsten Eilers says:
    May 20, 2010 at 7:13 am

    Clickjacking – Auch komplizierte Aktionen sind möglich…

    Mit Clickjacking einen einzelnen Klick zu entführen erfordert schon etwas Aufwand, wie in der vorigen Folge am Beispiel der Demonstration von Jeremiah Grossman und Robert “RSnake” Hansen zu sehen war. Möchte ein Angreifer gleich mehrere K…

  17. John Smith’s younger brother, Adam | GUYA.NET says:
    August 25, 2010 at 5:43 pm

    [...] younger brother, Adam Remember ClickJacking? The generic flaw in web browsers and HTML. Remember Webcam Clickjacking? My PoC showing how this flaw can be used to take control over a victim webcam and [...]

« Older Comments

Leave a Reply

Additional comments powered by BackType