Adobe has patched a Flash Player bug that could allow Websites to turn on a visitor’s camera and microphone without permission.
The flaw was first reported in 2008 and Adobe soon fixed it by changing how the Flash security dialog box behaved when it was displayed in hidden mode.
This month, on 18 October, Feross Aboukhadijeh showed how it could still be exploited on Firefox and Safari for Apple’s Mac computers but he said that Windows browsers did not seem to work the same way with cascading style sheets (CSS).
This allowed his program to secretly store his Web address to be allowed to use the camera and microphone functions at any time. This is a classic method used by “clickjackers” to trick unwary users into giving away passwords and other useful information.
“Although every browser and OS is theoretically susceptible to this attack, the process to activate the Webcam requires multiple highly targeted clicks, which is difficult for an attacker to pull off,” admitted Aboukhadijeh. “I’m not sure how useful this technique would actually be in the wild, but I hope that Adobe fixes it soon so we don’t have to find out.”
He reported the flaw to Adobe a few weeks before writing his blog but did not hear anything back from the company. “I think it’s worth sharing it with the world now, so that Adobe pays attention and fixes it more quickly,” he said.
It seems that Adobe had been paying attention because on 19 October the company said a fix had been made. A blog by Wendy Poland, a member of the Adobe Product Security Incident Response Team, wrote: “Adobe is aware of a report describing a clickjacking issue related to the online Flash Player Settings Manager. We have resolved the issue with a change to the Flash Player Settings Manager SWF file hosted on the Adobe Website. No user action or Flash Player product update are required.”
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…