Adobe Flash + Clickjacking: Who Could Be Watching You (or Not)?

You hope that your computer is secure. Your clients depend on it, and your law firm’s insurance carrier prefers it.

An unsettling discovery by Stanford University computer science student Feross Aboukhadijeh, however, could test that theory. He says that that a malicious website using Adobe Flash, when combined with ‘Clickjacking,’ could actually turn your webcam and microphone on without you knowing it.

Creepy, eh?

No, we’re not making this up.

Adobe’s engineers are currently working to fix this security flaw. Aboukhadijeh says that the company has known about it for a few weeks when he “reported this vulnerability…through the Stanford Security Lab,” but hasn’t heard back from them.

Dan Vu Quoc, a member of Justia’s engineering team thinks that any purported security threat is overblown. He says that it’s not much of a threat if you do not respond to suggestions to click on icons or games at websites that are not trustworthy or reliable.

Oh, and one more thing. The potential peeping and spying threat is real. If you’ve got click-happy kids with computers at home, take a Post-It® note or bandage, and cover up that webcam pronto until Adobe resolves the security flaw.

You can watch Aboukhadijeh explain the Adobe Flash security issue here:

*Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

  • Anonymous

    I agree with my colleague Dan.

    In order to be clickjacked into turning your webcam on, the site would have to trick you into making a very specific sequence of clicks.  What’s more the site has no way of knowing if you actually made those clicks as Aboukhadijeh mentioned in his video, instead the website has to assume you made the previous click and then move on to taking you to the next click.

    Only if the site successfully tricks you into making that full sequence of clicks can they do anything.  Also, so far he has not been able to make this particular trick work on Windows at all, or on Chrome on Mac, only on Safari on Mac and Firefox on Mac, so the number of people effected by this particular vulnerability is somewhat minimal.

    Also, since it only works on Mac (At least at current), the Mac Webcam has also had a little green led that lights up whenever the webcam is in use, so I would think that most people would notice that a bright light suddenly turned on on the top of their computer and know something might be up.

    On the flip side, if you are concerned that the site can turn on your webcam and you want to cover it up, you should also be concerned with the fact that enabling your webcam also enables the built in microphone, so in addition to seeing and recording video of you, this clickjacking technique can also hear you, so the privacy concerns are not covered by simply covering the camera lens with a band-aid.

  • Anonymous

    According to Adobe’s Blog, they have resolved this problem:

    http://blogs.adobe.com/psirt/2011/10/clickjacking-issue-in-adobe-flash-player-settings-manager.html

    “Adobe is aware of a report describing a clickjacking issue related to the online Flash Player Settings Manager. We have resolved the issue with a change to the Flash Player Settings Manager SWF file hosted on the Adobe website. No user action or Flash Player product update are required.”