Flash Vulnerability Allows Website Admins to Spy on Visitors

Another serious vulnerability found in a commercial product

By on October 20th, 2011 08:02 GMT

A computer science student from Stanford University discovered a flaw in Adobe Flash that would allow a website administrator to remotely and silently turn on a visitor’s webcam and microphone.

According to Feross Aboukhadijeh, the trick works on in all the versions of Flash in most Mac browsers. Windows and Linux browsers are not susceptible, probably because of a CSS bug, but he believes that an adaptation would not be too difficult to accomplish.

It looks as this clickjacking method has been used before, but since Adobe added a framebusting JavaScript code, the whole thing seemed to be fixed.

The old method relied on inserting the Adobe Flash Settings Manager page into an invisible iframe, masking it with a game or something that would urge users to click. Feross managed to bypass this restriction by putting only the SWF file into an iframe, instead of the whole settings page.

Because Adobe didn't pay attention to his warnings he decided to pull a 'Vazquez' on them and made the whole thing public.

“I reported this vulnerability to Adobe a few weeks ago through the Stanford Security Lab. It’s been a few weeks and I haven’t heard anything from Adobe yet. I think it’s worth sharing it with the world now, so that Adobe pays attention and fixes it more quickly,” he revealed.

As with Opera, the publication of the concept resulted in a quick reply.

"Engineering is currently working on a fix. Note that this issue does not involve/require a product update and/or customer action. It's a fix we are making on our end online, and it is going to be pushed live as soon as QA has completed their testing," Adobe spokeswoman Wiebke Lips told CNET.

This is very serious as others might have noticed the error but weren't kind enough to share with Adobe and the rest of the world. Hopefully, the company will act as soon as possible to put a stop to the bug that exposes our privacy.

Comments