Hackers can remotely turn webcams and microphones on through clickjacking

Oct 8, 2008 15:03 GMT  ·  By

Adobe has released an advisory that describes the Flash Player vulnerability, which previously prompted security researchers Jeremiah Grossman and Robert Hansen to halt the disclosure of technical details regarding clickjacking attacks. According to the advisory, by using clickjacking techniques, an attacker can gain access to a user's webcam and microphone by tricking the user into unknowingly enabling them via the Flash Player Settings Manager.

Clickjacking is generic name describing various attacks that allow redirecting a user's mouse click from a legit item on a Web page to whatever the attacker desires. This means that clickjacking, also known as user interface (UI) redressing, does not represent a particular attack, but a class of attacks. The general concept behind these attacks is placing an invisible button or link under the user's mouse pointer while surfing a Web page, and hijacking his mouse click when he clicks on a item considered safe.

Some clickjacking techniques have been known since as early as 2002, but have been largely ignored from a security perspective, because it was considered that they were based on logic flaws rather than actual bugs. However, since then, threats like cross-site scripting (XSS) and cross-site request forgeries (CSFR) have opened new possibilities for clickjacking. Jeremiah Grossman and Robert Hansen have been working on demonstrating how clickjacking techniques can enhance CSFR and XSS attacks, or how they can become dangerous when combined with things previously considered harmless, like the Flash Player Settings Manager.

The two researchers have canceled their initial OWASP conference presentation of their clickjacking-related findings at the request of Adobe's Product Security Incident Response Team, which realized that, by combining clickjacking with the Flash Player Settings Manager, a door was opened to illegal spying through computer webcams and microphones. The researchers later announced that they were planning to go ahead with the full disclosure later this month, considering that Adobe would have had enough time until then to release a patch.

Meanwhile, someone else has succeeded in figuring out the Flash Player issue on their own, and released a fully working PoC exploit along with detailed technical information. This prompted Adobe to release its advisory in advance, even though the patch has not been finalized yet. The advisory offers a temporary workaround until the new version of Flash Player will be ready. The PoC exploit consists of a JavaScript-based game, and demonstrates “how an attacker can get a hold of the user’s camera and microphone.” The hacker notes that “this can be used, for example, with platform like ustream, justin and alike or to stream to a private server to create a malicious surveillance platform.”

Due to the impromptu disclosure, Grossman and Hansen have also partially released their own findings on their blogs. “Jeremiah and I got the final word today that it was fine to start talking about this due to the click jacking PoC against Flash that was released today that essentially spilled the beans regarding several of the findings that were most concerning,” noted Robert Hansen. He also pointed out that several other researchers had discovered the vulnerabilities on their own, but decided to keep quiet about it. “Thanks to the researchers who found these issues independently after Jeremiah and I were unable to do our speech, but kept it to themselves (Arshan Dabirsiaghi, Jerry Hoff, Eduardo Vela, Matthew Matracci, and Liu Die Yu),” Hansen writes. Meanwhile, Grossman notes that “predictably several people did manage to uncover much of what we had withheld on their own, whom thankfully kept it to themselves after verifying it with us privately.”

Hansen identifies and describes as many as eight clickjacking related vulnerabilities and attack vectors and provides their own generic PoC code. One issue affects all the major browsers, and refers to subverting user clicks to framed pages. Even if possible, the use of JavaScript is not mandatory due to CSS' ability to display invisible iframes on top of other page items. One solution for mitigation from a webmaster's perspective is JavaScript-based frame busting code, but this is known to introduce performance problems. Other mentioned clickjacking issues, except the Flash Player Settings Manager one, which can also be extended to kill all the security of the player, are enhancements to XSS and CSRF attacks, increasing their chance of success or making them harder to prevent. In addition, ActiveX controls can be vulnerable to clickjacking in certain circumstances, while IE8.0 Beta actually blocks frame busting code, thus messing with mitigation attempts.

Many researchers claim that this is just the beginning, even if the disclosed issues will be fixed, as clickjacking itself does not have a simple solution. It is not a surface problem, but one that originates in the fundamental blocks of today's web architecture, like CSS/DHTML and IFRAMES. These are not things that can be easily eliminated and it is very likely that more clickjacking based attack techniques will be devised.

Giorgio Maone, the creator of the NoScript Firefox extension has been keeping an eye on the clickjacking issue, and has been fast to code several specific countermeasures in the new NoScript version (1.8.2.1). “The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals you the real thing in “clear”. At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction,” explains Maone on his blog.

Users are advised to use the workaround described in the Adobe advisory. Other suggestions include performing online financial banking tasks independently from regular browsing and logging out from sensitive websites before continuing to browse to other pages. Also, some researchers suggest using separate browsers for different tasks if possible, with one dedicated only to banking.