Adobe Fixes Flash Privacy Panel So Hackers Can't Spy Via Webcams
Yesterday, Adobe made changes to a page on an Adobe website that controls Flash users' security settingsor more specifically, to the Flash .SWF file embedded in the page that opens the Flash website privacy settings panel. The changes are intended to prevent a clickjacking attack that uses the file to activate and access users webcams and microphones to spy on them.
The change comes a few days after a Stanford student revealed the vulnerability on his website. Feross Aboukhadijeh posted the exploit, along with a demo and a video demonstration, on October 18. He said in a blog post that he had notified Adobe weeks earlier of the problem, reporting the vulnerability to Adobe through the Stanford Security lab.
The exploit demonstrated by Aboukhadijeh uses an elaborate clickjack game that overlays the SWF panel over buttons in a transparent IFRAME. Heres a screenshot of the panel before Adobes changes:
Through a series of clicks, the exploit was able to clear the privacy settings for Flashs Web camera controls and then authorize a new site to activate and access the camera video.The changes did not prompt any pop-ups or other user notifications.
The changes made by Adobe are to the layout and behavior of the widgets in the privacy settings panel. Heres a screenshot of the new panel after the exploit was attempted: