A slight variation of a previously designed clickjacking attack that used a Adobe Flash vulnerability has once again made it possible for website administrators to surreptitiously spy on their visitors by turning on the user's computer webcam and microphone.
It works in all versions of Adobe Flash that the researcher have tested . He’ve confirmed that it works in the Firefox and Safari for Mac browsers. Use one of those if you check out the live demo. There’s a weird CSS opacity bug in most other browsers (Chrome for Mac and most browsers on Windows/Linux).Clickjacking + Adobe Flash = Sad Times!
This attack works by using a neat variation of the normal clickjacking technique that spammers and other bad people are using in the wild right now. For the uninitiated:
Combine clickjacking with the Adobe Flash Player Setting Manager pageand you have a recipe for some sad times.
How the attack works ?
Instead of iframing the whole settings page (which contains the framebusting code), Just iframe the settings SWF file. This bypasses the framebusting JavaScript code, since we don’t load the whole page — just the remote .SWF file. I was really surprised to find out that this actually works!
A bunch of clickjacking attacks in the wild, never any attacks where the attacker iframes a SWF file from a remote domain to clickjack it — let alone a .SWF file as important as one that controls access to your webcam and mic!
The problem here is the Flash Player Setting Manager, this inheritance from Macromedia might be the Flash Player security Achilles heel.— Guya.net
This is a screenshot of what the Settings Manager .SWF file looks like:
| Source |
No comments:
Post a Comment