Category Archives: Games

Malicious camera spying using ClickJacking

Update: Adobe has fixed this issue by framebusting the Settings Manager pages. Now, 99.9% of the users are protected from this specific exploit. Congrats on the fast response. —-

Turn every browser into a surveillance zombie. The wet dream of every private eye and peeping tom. Imagine this scenario, you play a short game on the web and by doing that you unknowingly grant someone full access to your webcam and microphone.

I’ve made a live demo of it in here, this demo won’t listen or record any of your input.

If you don’t want to try it or don’t have a webcam connected, then check out the video.

When I’ve first heard about ClickJacking and how Adobe is concerned about it, I thought that the Flash Player Security Dialog must have been compromised. But the Security Dialog does a good job disabling itself when you try to mess with it’s visibility through DHTML. Unless there’s some 0-day issue with the Dialog it’s probably relatively safe.

The problem here is the Flash Player Setting Manager, this inheritance from Macromedia might be the Flash Player security Achilles heel.

I’ve written a quick and dirty Javascript game that exploit just that, and demonstrate how an attacker can get a hold of the user’s camera and microphone. This can be used, for example, with platform like ustream, justin and alike or to stream to a private server to create a malicious surveillance platform.

I’ve made it as a JS game to make it easier to understand, but, bear in mind that every Flash, Java, SilverLight, DHTML game or application can be used to achieve the same thing.

Some of the clicks are real game clicks other are jacked clicks. Every time the click is needed to be jacked the content simply move behind the iframe using z-index

I had doubts about publishing this, but, if I could have understand it so are the bad guys, so it’s better to know about it.

In this case Adobe could have just framebust the pages that holds the Settings Manager. There are two issues with frambusting in this case, it won’t solve all cases (legacy browsers for ex) and will force Adobe to rely on javascript.

Play it here, watch it here

Reliving your childhood through every browser

This is what fMAME is all about, it’s a MAME (Arcade Games Emulator) written in Flash that is running in every browser with no installation. I get enthusiastic remarks like “Wow I used to play this on the arcade” from most of the people I’ve sent the link to. For now, there’s no sound and only a handful of games are supported, but, it’ll surly improve in the future.

Of course I could have sent them the info of how to download and run the desktop MAME emulator and how to find roms for it. It’ll give them the same experience of traveling back in time. But, how many will bother to do that? Yes it’s simple but the common users want it to be very simple. They don’t want to be bothered with downloads and installation they want to follow a link and start the experience.

The second thing I hear from the people I’ve sent this link to, is, “how did they do that?!” then I need to explain that Flash isn’t just for Ajax like website it’s a complete platform that is only (mainly) stoppable by the creators imagination.

Did I mention it runs in every browser?! ;)

Play fMAME

Donkey_Kong

Ghostsn_Goblins

Bubble_Bobble

Fun to play Flash Lite games at a mobile near you

Playyoo is about bringing the game experience we became used to get inside our browser, into our mobile devices. Simply direct your mobile phone to m.playyoo.com, to get instant fun. No need for any installations, no need to go through boring textual catalogs of games. All you need is a Flash Lite supported device, no matter which version.

Lately the playyoo game catalog grew considerably, since they opened their beta with only 13 Flash-Light games. The grew came partially because of the game creation contest that was recently closed, and the winners were announced today.

The wining game is Match the Blocks, an extremely simple and fun to play game that is very well suited to be played inside a mobile phone. The game is written in the widely supported  Flash Lite 1.1, so it’s likely to be pre-installed on your device.

Valve was hacked again

Valve, the maker of two of the best games of all time, Half-Life 2 and 1, was already hacked once in 2003. The source code of it’s highly anticipated and in-development game, Half-Life 2, was stolen and was then available for everyone on the web. Playable version started to emerge, and the company had to postpone the release for months, which cost them a lot of money and pain. You might have thought that they learned from the experience, but it seems that they might have been hacked again. This time no source code for you to peek in “only” sensitive data like users credit card numbers was stolen.

Read more about it…

The allegedly hacker, words…

At the moment there is no official confirmation of this, and personally I hope it isn’t true, I’d like Valve to use their time for delivering the next best games instead of having to deal with this.

Relive your childhood by playing your favorite DOS games

JPC is an x86 PC emulator written in Java. It’s an impressive piece of software developed by some uber geeks, but it’s most exciting Side Effect, as they call it, is that it enable you to “Relive your childhood by playing your favorite DOS games”. They have a demo running on their web site that let you play some nostalgic DOS games. These are the exact original games and not clones. Playing these games and starting them from the DOS prompt really feel like traveling back in time, the only thing that is missing to complete the experience is the sound of the loading diskette drive.

Commander Keen 1

Commander Keen 1 intro

Commander Keen 1
Somehow this screen felt very nostalgic
Commander Keen 1

Prince of Persia
Prince of Persia

Since it’s pure Java it can theoretically run on any Java enabled machine even on a mobile phone.

Play JPC…

Tired of Ricki Lake?

Mr Paul Neave is not the next trash-TV host, he is a “serial Flash fettler and interactive designer”, or at least thats what he calls himself. He is a Flash experimentalist who creates fun and usefull Flash experiences. Few years back it was some high quality open source flash games, an improved version can be found here, sadly the source is not availble anymore. Then came the flash planetarium a cool and accurate way to examine the stars from within the browser. Last year it was flashearth which need no introduction.
And now, his latest experiment is neave.tv a cool replacement for your television. Based on video services like youtube and google video, the improvment is that you can lean back and enjoy the show in full sceen and without the need for you to do anything. Which mean you can be a couch potato again, only this time the shows are in much higher quality :D
check it out, neave.tv