Malicious camera spying using ClickJacking

Update: Adobe has fixed this issue by framebusting the Settings Manager pages. Now, 99.9% of the users are protected from this specific exploit. Congrats on the fast response. —-

Turn every browser into a surveillance zombie. The wet dream of every private eye and peeping tom. Imagine this scenario, you play a short game on the web and by doing that you unknowingly grant someone full access to your webcam and microphone.

I’ve made a live demo of it in here, this demo won’t listen or record any of your input.

If you don’t want to try it or don’t have a webcam connected, then check out the video.

When I’ve first heard about ClickJacking and how Adobe is concerned about it, I thought that the Flash Player Security Dialog must have been compromised. But the Security Dialog does a good job disabling itself when you try to mess with it’s visibility through DHTML. Unless there’s some 0-day issue with the Dialog it’s probably relatively safe.

The problem here is the Flash Player Setting Manager, this inheritance from Macromedia might be the Flash Player security Achilles heel.

I’ve written a quick and dirty Javascript game that exploit just that, and demonstrate how an attacker can get a hold of the user’s camera and microphone. This can be used, for example, with platform like ustream, justin and alike or to stream to a private server to create a malicious surveillance platform.

I’ve made it as a JS game to make it easier to understand, but, bear in mind that every Flash, Java, SilverLight, DHTML game or application can be used to achieve the same thing.

Some of the clicks are real game clicks other are jacked clicks. Every time the click is needed to be jacked the content simply move behind the iframe using z-index

I had doubts about publishing this, but, if I could have understand it so are the bad guys, so it’s better to know about it.

In this case Adobe could have just framebust the pages that holds the Settings Manager. There are two issues with frambusting in this case, it won’t solve all cases (legacy browsers for ex) and will force Adobe to rely on javascript.

Play it here, watch it here

105 thoughts on “Malicious camera spying using ClickJacking

  1. This is Dong-bin(Elisabeth) Kim and I’m a reporter of Information Security 21C, mothly magazine, and Boan news, internet daily news site.
    I’m very impressed, so I’d like to introduce your PoC via our magazine.
    So, if you’re O.K, I’d like to capture you PoC and put it into our magazine.
    Please send comment to me.

  2. Click Jacking has long since been called by search engine marketers… u need a new term.

    what click jacking really is is swapping in your own ads into someone elses page often by overlaying or using javascript or filtering their content

  3. ction, please visit the blog post of Flash developer Guy Aharonovsky, where he demonstrates in a video how a user unintentionally changes his browser’s security settings while playing a JavaScript

  4. action, please visit the blog post of Flash developer Guy Aharonovsky, where he demonstrates in a video how a user unintentionally changes his browser’s security settings while playing a JavaScript

  5. Clickjacking is a relatively new threat to Web applications for, which in its short history, but damage done several times already. I can only recommend everyone to be vigilant.

  6. My programmer is trying to persuade me to move to
    .net from PHP. I have always disliked the idea because of the costs.
    But he’s tryiong none the less. I’ve been using WordPress on a number of
    websites for about a year and am worried about switching to another platform.
    I have heard good things about blogengine.net. Is there a way I can transfer all my wordpress content into it?
    Any help would be really appreciated!

    Here is my webpage; real estate agents malaysia

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>