Back in October 2011, Adobe reported fixing a clickjacking issue in the online Adobe Flash Player Settings Manager. However, experts say that the flaw can still be leveraged, at least with some web browsers, to allow access to a user’s webcam and microphone.
According to security researcher Egor Homakov, the exploit he has developed is not stable yet, but it appears to work properly on the Mac version of Chrome, Chromium on Linux, and possibly other configurations.
The proof-of-concept developed by Homakov (not safe for work) shows a slideshow of pictures of girls. In the middle of the screen, there’s a play button.
When the play button is pressed, the user is actually allowing for his/her webcam to be accessed. The Flash permissions window is placed in an invisible layer with the “Allow” button right under the play button.
If you run the POC from Chrome on Mac, once you press the button, your webcam is activated and a picture is taken. Homakov’s exploit doesn’t store the pictures, but cybercriminals would probably store the information on their own servers.