This site is now just an archive over the rise and fall of Flash. The domain is available for sale
Login | Register
ClickJacking - the new privacy game

ClickJacking - the new privacy game

Hijacking webcams have never been this fun - but how could you make someone allow access to their webcam without the user knowing? Check the Camera Clickjacking game and discover yet another clever Flash trick used by hackers.

Using a clever combination of iFrame overlays and a Flash game, Guy Aharonovsky made a simple game that exploited research by Jeremiah Grossman, chief technology officer of White Hat Security, and SecTheory chief executive Robert Hansen. The security problem was instantly patched by Adobe, so you can no longer see the exploit yourself, but Guy has recorded a video that shows how the hijacking could be done.

This trick is so clever that we wanted to make sure others knew about it. By stacking a SWF file using transparent WMODE on top of an iFrame with the Flash Player's Website Privacy Settings Panel the user could be tricked by alternating the order of the SWF and iFrame so that some clicks were on the Settings Panel and some clicks were in the game. The user would never really see if they clicked on the SWF or the HTML overlay, so without knowing it - the user were actually pushing all the right buttons to enable webcam access. Really clever exploit, but by adding a frame-bursting script to the settings manager, Adobe has now fixed this. Since the exploit requires JavaScript, the frame-busting script will also trigger.

Apparently, there is also other tricks you can pull off using similar techniques and Adobe is working on a fix for this. From the looks of the last months exploits, it may look like the Flash Player is the hackers favorite target and the reason is simple. With a distribution of more than 90%, a successful expoit will work across more machines than you could by for instance exploiting a browser weakness.


Get new stories first

Click to follow us on Twitter!



No comments for this page.

Submit a comment

Only registered members can comment. Click here to login or here to register