Flash Player Clickjacking Flaw Allows Hackers to Hijack Your Webcam

Security researcher Egor Homakov highlights that Adobe has known of the issue since 2011

By on June 14th, 2013 09:44 GMT

Back in October 2011, Adobe reported fixing a clickjacking issue in the online Adobe Flash Player Settings Manager. However, experts say that the flaw can still be leveraged, at least with some web browsers, to allow access to a user’s webcam and microphone.

According to security researcher Egor Homakov, the exploit he has developed is not stable yet, but it appears to work properly on the Mac version of Chrome, Chromium on Linux, and possibly other configurations.

The proof-of-concept developed by Homakov (not safe for work) shows a slideshow of pictures of girls. In the middle of the screen, there’s a play button.

When the play button is pressed, the user is actually allowing for his/her webcam to be accessed. The Flash permissions window is placed in an invisible layer with the “Allow” button right under the play button.

If you run the POC from Chrome on Mac, once you press the button, your webcam is activated and a picture is taken. Homakov’s exploit doesn’t store the pictures, but cybercriminals would probably store the information on their own servers.

Comments

Clickjacking flaw can be leveraged to trick users into allowing access to their webcams
   Clickjacking flaw can be leveraged to trick users into allowing access to their webcams