DerekAllard.com

Clickjacking: Web pages can see and hear you

This one scares me.  Click jacking essentially is where various vulnerabilities in browser, OS and the Flash player allow a malicious user to use your camera and microphone without your knowledge.  There are many variations on it, but today Adobe released an advisory statement on the implications within the Flash player, and now the beans are officially spilled.

I first read about it via Jeremiah Grossman’s blog, and then quickly thereafter on ha.ckers.org.  The definitive proof of concept can be found at guya.net, and all things considered I actually have a Post It note over my camera at the moment.

These sources cover it much better then I could, but let me just say that what scares me mostly is the variety with which this can be executed.  Javascript, CSS, iFrames, known browser or OS vulnerabilities.  The only current (practical) way to protect one’s self is to cripple plugins (in todays world of YouTube… I don’t see that happening) or to permanently change the security permissions of the Flash player (Adobe’s instructions), probably needing to cripple them, otherwise one could get clickjacked back into restoring them.

Even more terrifying is what a hacker would have seen and heard coming from my office this morning.  I’ll spare you the visuals, but it would have sounded like “Meow, meow, meow, meeeeeeoooowwwwwww!” and then “who’s a frisky girl… who’s a frisky girl”, followed by my cat making a nice big scratch under my eye…

This entry was made on and filed into Noteworthy.

Comments

Pascal wrote on

I actually have a Post It note over my camera at the moment

Sounds familiar.  That was my first reaction when they canceled their talk and said it was flash related.

Definitely scary stuff.  Particularly when you think about how long this has been around.

Andy wrote on

Whew.. I’m glad I have neither mic nor webcam. Or sad.
To make it worse, most people probably didn’t realize there is a such thing as Adobe Flash Player Settings Manager, let alone how to configure it properly.

Chris Pierce wrote on

Nice Webjamsession2007 trees up top there buddy!

Derek wrote on

Thanks Chris… a bit off topic I think… but thanks.  The trees are the work of Simon Oxley, and I’ve always given him credit… but I’m not sure if you’re implying otherwise or not.  See, now you’ve confused me (I admit a less impressive feat lately then usual).

manofsteel wrote on

Dude, you left me hanging!  That story was sounding pretty hot.  Where can I get the full version??