Adobe Patches Flash Video Snooper Vulnerability

Adobe has patched a Flash Player bug that could allow Websites to turn on a visitor’s camera and microphone without permission.

The flaw was first reported in 2008 and Adobe soon fixed it by changing how the Flash security dialog box behaved when it was displayed in hidden mode.

Primarily A Mac Attack

This month, on 18 October, Feross Aboukhadijeh showed how it could still be exploited on Firefox and Safari for Apple’s Mac computers but he said that Windows browsers did not seem to work the same way with cascading style sheets (CSS).

Aboukhadijeh set the Adobe Flash security dialog box as an invisible iFrame (a frame within a normal Webpage), and superimposed a normal Webpage over the top. This could be used to trick by showing different buttons on the front screen that corresponded to those on the Flash security screen. By clicking on the seemingly normal screen, the button pushes were actually transferred to the buttons on the hidden screen.

This allowed his program to secretly store his Web address to be allowed to use the camera and microphone functions at any time. This is a classic method used by “clickjackers” to trick unwary users into giving away passwords and other useful information.

“Although every browser and OS is theoretically susceptible to this attack, the process to activate the Webcam requires multiple highly targeted clicks, which is difficult for an attacker to pull off,” admitted Aboukhadijeh. “I’m not sure how useful this technique would actually be in the wild, but I hope that Adobe fixes it soon so we don’t have to find out.”

He reported the flaw to Adobe a few weeks before writing his blog but did not hear anything back from the company. “I think it’s worth sharing it with the world now, so that Adobe pays attention and fixes it more quickly,” he said.

It seems that Adobe had been paying attention because on 19 October the company said a fix had been made. A blog by Wendy Poland, a member of the Adobe Product Security Incident Response Team, wrote: “Adobe is aware of a report describing a clickjacking issue related to the online Flash Player Settings Manager. We have resolved the issue with a change to the Flash Player Settings Manager SWF file hosted on the Adobe Website. No user action or Flash Player product update are required.”

Eric Doyle, ChannelBiz

Eric is a veteran British tech journalist, currently editing ChannelBiz for NetMediaEurope. With expertise in security, the channel, and Britain's startup culture, through his TechBritannia initiative

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

6 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

9 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

10 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

11 hours ago