HOW TO: Spy on the Webcams of Your Website Visitors

October 18th, 2011 | 54,916 views | 100 Comments » |

I discovered a vulnerability in Adobe Flash that allows any website to turn on your webcam and microphone without your knowledge or consent to spy on you.

It works in all versions of Adobe Flash that I tested. I’ve confirmed that it works in the Firefox and Safari for Mac browsers. Use one of those if you check out the live demo. There’s a weird CSS opacity bug in most other browsers (Chrome for Mac and most browsers on Windows/Linux).

Video demo of the attack:

Source code: Github

Update 10/19/2011: CNET says that Adobe is working on a fix and it could be ready by end of week. Adobe also emailed me and said “our product team is wrapping up their investigation and is now working on a fix, which should not require a Flash Player update”.

Update 10/20/2011: Whoa, this story is everywhere!

Update 10/20/2011: Adobe says they just posted a fix to the Settings Manager that should resolve the issue. I just tested it out, and indeed the issue appears to be fixed now. Congrats, Adobe, for the quick fix!

Update 12/21/2011: This attack made it into Jeremiah Grossman’s list of top web hacking techniques of 2011. It’s #26.

Update 1/10/2012: Another similar clickjacking attack was just discovered and fixed by Adobe.

Clickjacking + Adobe Flash = Sad Times!

This attack works by using a neat variation of the normal clickjacking technique that spammers and other bad people are using in the wild right now. For the uninitiated:

Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
— Wikipedia

Combine clickjacking with the Adobe Flash Player Setting Manager page and you have a recipe for some sad times.

Background

I took a computer security class (Stanford’s CS 155) last quarter and really enjoyed this research paper on framebusting and clickjacking. After reading it, I checked out a few popular sites to see if it was possible to clickjack them. After a couple hours, I had no success.

But, then I stumbled upon this blog post entitled “Malicious camera spying using ClickJacking” where the author shows how to clickjack the Adobe Flash Settings Manager page to enable users’ webcams. He accomplishes this by putting the whole settings page into an iframe and making it invisible. Then, unsuspecting users play a little game and unwittingly enable their webcams. Adobe quickly added framebusting code to the Settings Manager page (why wasn’t it there in the first place?), and the attack stopped working.

But alas, the same attack is actually still possible.

How my attack works

Instead of iframing the whole settings page (which contains the framebusting code), I just iframe the settings SWF file. This let me bypass the framebusting JavaScript code, since we don’t load the whole page — just the remote .SWF file. I was really surprised to find out that this actually works!

I’ve seen a bunch of clickjacking attacks in the wild, but I’ve never seen any attacks where the attacker iframes a SWF file from a remote domain to clickjack it — let alone a .SWF file as important as one that controls access to your webcam and mic!

The problem here is the Flash Player Setting Manager, this inheritance from Macromedia might be the Flash Player security Achilles heel.

Guy Aharonovsky

This is a screenshot of what the Settings Manager .SWF file looks like:

Adobe Flash Settings Manager

Live Demo

I built a quick proof-of-concept demo to show how it works.

Important: The demo is only guaranteed to work in Firefox and Safari for Mac. Right now, it doesn’t work in most other browsers since you can’t change the opacity or the z-index of an iframed swf file. However, I discovered a workaround that involves multiple iframes, but haven’t implemented it yet since it’s a bit complicated. But, I’m pretty sure that it’s possible to make it work everywhere, given enough time.

View the Demo.

The code is also available on Github.

I should also mention that my demo builds heavily off of the ideas and work done by the dude who runs this blog, Guy Aharonovsky.

Also: If you’re a bit leery about running the demo… I promise I’m not saving the webcam video. I just display it back to you so you can see that it works. However, if an attacker used this technique, they would almost certainly NOT show you any sign that your cam is on. You’re only hope of finding out that something’s up is your webcam indicator light (if you have one).

Webcam Light

Why release this?

I reported this vulnerability to Adobe a few weeks ago through the Stanford Security Lab. It’s been a few weeks and I haven’t heard anything from Adobe yet. I think it’s worth sharing it with the world now, so that Adobe pays attention and fixes it more quickly.

Although every browser and OS is theoretically susceptible to this attack, the process to activate the webcam requires multiple highly targeted clicks, which is difficult for an attacker to pull off. I’m not sure how useful this technique would actually be in the wild, but I hope that Adobe fixes it soon so we don’t have to find out.

Further reading

If you want to learn more about clickjacking and framebusting, you should read the excellent Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites (PDF) paper by Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson.

You should share this with your friends:

Related posts:

  1. 1% of CMS-Powered Sites Expose Their Database Passwords

100 Comments | Leave a comment » More posts about: Computer Science, Hacks, Security, Stanford, Web Dev

100 Comments on “HOW TO: Spy on the Webcams of Your Website Visitors”

  1. 1 Joe Python said at 3:00 am on October 18th, 2011:

    Using this on Firefox (with NOScript) with Ubuntu Linux gives a clickjack warning.
    It is unusable in Chrome for Ubuntu Linux.

  2. 2 Jack Jack said at 5:13 am on October 18th, 2011:

    old news, bud….

  3. 3 Flash vulnerability allows silent activation of your webcam and mic | National Cyber Security said at 9:08 am on October 18th, 2011:

    [...] more at Feross.org and see it in action using a (safe) live [...]

  4. 4 Partaji.com » Adobe to plug Flash-related Webcam spying hole said at 5:30 pm on October 19th, 2011:

    [...] (Credit: Feross Aboukhadijeh) [...]

  5. 5 Adobe to plug Flash-related Webcam spying hole | Brian's Blog Site said at 9:38 pm on October 19th, 2011:

    [...] (Credit: Feross Aboukhadijeh) [...]

  6. 6 Adobe to plug Flash-related Webcam spying hole | News & Current Events said at 10:32 pm on October 19th, 2011:

    [...] (Credit: Feross Aboukhadijeh) [...]

  7. 7 Drošības Eksperti said at 12:01 am on October 20th, 2011:

    [...] (Credit: Feross Aboukhadijeh) [...]

  8. 8 Adobe to plug Flash-related Webcam spying hole said at 12:21 am on October 20th, 2011:

    [...] (Credit: Feross Aboukhadijeh) [...]

  9. 9 Adobe to plug Flash-related Webcam spying hole « Internet, Tech & Securities said at 3:30 am on October 20th, 2011:

    [...] was brought to light by Feross Aboukhadijeh, a Stanford University computer science student, in a blog post yesterday that includes a live demo. The attack uses a technique that has become popular on sites [...]

  10. 10 Fin² said at 4:13 am on October 20th, 2011:

    It doesn’t work on Opera (11.51), good browser :) .

  11. 11 Mój komputer się na mnie gapi. Znów. « Spider's Web said at 5:03 am on October 20th, 2011:

    [...] lukę wykrył i opisał w swoim blogu Feross Aboukhadijeh, student informatyki na Uniwersytecie Stanforda – Aboukhadijeh [...]

  12. 12 Flash : une faille permet d’espionner l’utilisateur via la webcam et le micro… LaptopSpirit.fr - Ordinateur Portable, PC Portable, Ultra-portable, Tablette, Netbook, UMPC et mobilité said at 5:25 am on October 20th, 2011:

    [...] : Feross Aboukhadijeh et CNet]       [...]

  13. 13 Adobe to Fix Flash Flaw That Allows Webcam Spying | Bytes News said at 6:44 am on October 20th, 2011:

    [...] issue was discovered by a Stanford University computer science student named Feross Aboukhadijeh who based his [...]

  14. 14 Adobe to Fix Flash Flaw That Allows Webcam Spying | Got2.Me said at 7:15 am on October 20th, 2011:

    [...] issue was discovered by a Stanford University computer science student named Feross Aboukhadijeh who based his [...]

  15. 15 Adobe is working on a Flash related Webcam spying bug | Tech Pedias | mithil.me said at 7:45 am on October 20th, 2011:

    [...] came to light when Feross Aboukhadijeh, a student at Stanford University, announced this bug in a post including a demo. In order to exploit the flaw, attackers use a technique called “Clickjacking” that has [...]

  16. 16 Adobe promises fix for webcam-spying Flash bug said at 7:48 am on October 20th, 2011:

    [...] unwittingly change their Flash player settings using a Shockwave Flash file hosted by Adobe itself. Re-discovered by Stanford computer science student Feross Aboukhadijeh, the attack works by loading Adobe’s own Flash Player Settings Manager directly from Adobe, [...]

  17. 17 Adobe to fix Flash flaw that allows webcam spying - HackerMuslim.com | HackerMuslim.com said at 10:17 am on October 20th, 2011:

    [...] emanate was discovered by a Stanford University mechanism scholarship tyro named Feross Aboukhadijeh who formed his [...]

  18. 18 eric said at 11:39 am on October 20th, 2011:

    does this hack trigger the webcam light?

  19. 19 New IT Technology | IT Lounge – New Adobe Flash Exploit Could Give Any Website Access to Your Webcam [Video] said at 11:58 am on October 20th, 2011:

    [...] Stanford computer science student named Feross Aboukhadijeh has uncovered a pretty major security hole [...]

  20. 20 New Adobe Flash Exploit Could Give Any Website Access to Your Webcam [Video] « ten beer bowling said at 12:23 pm on October 20th, 2011:

    [...] Stanford computer science student named Feross Aboukhadijeh has uncovered a pretty major security hole in Adobe Flash, in which somebody could turn on your [...]

  21. 21 Adobe to plug Flash-related Webcam spying hole | Myfriendpal said at 1:34 pm on October 20th, 2011:

    [...] (Credit: Feross Aboukhadijeh) [...]

  22. 22 Loic Helias said at 1:36 pm on October 20th, 2011:

    Very dangerous !!!
    ADobe should fix it !!!
    Thanks
    Best regards

  23. 23 Bug in Flash allows webcam eavesdropping - Krank.ie said at 1:37 pm on October 20th, 2011:

    [...] of webcam spying without their knowledge. A computer science student at Stanford University, Feross Aboukhadijeh, discovered the [...]

  24. 24 This (or any) website might spy on you thanks to an Adobe Flash flaw | Download said at 1:50 pm on October 20th, 2011:

    [...] and microphone to spy on you. Stanford University computer science student Feross Aboukhadijeh discovered the flaw, which is found in every version of Flash and can be exploited in Safari and Firefox on Mac OS X [...]

  25. 25 Adobe working on fix for webcam spying vulnerability said at 2:14 pm on October 20th, 2011:

    [...] have really outdone themselves this month. A fix should be ready by the end of this week. Link: http://www.feross.org/webcam-spy/ Adobe, no longer content with its software having normal vulnerabilities, decided it is cool [...]

  26. 26 New Adobe Exploit Could Give Any Website Access To Your Webcam | Gizmodo Australia said at 2:22 pm on October 20th, 2011:

    [...] Stanford computer science student named Feross Aboukhadijeh has uncovered a pretty major security hole in Adobe Flash, in which somebody could turn on your [...]

  27. 27 New Adobe Flash Exploit Could Give Any Website Access to Your Webcam [Video] | karma knitting news said at 2:26 pm on October 20th, 2011:

    [...] Stanford computer science student named Feross Aboukhadijeh has uncovered a pretty major security hole in Adobe Flash, in which somebody could turn on your [...]

  28. 28 ste williams » Bug in Flash Player allowed Mac webcam spying said at 2:40 pm on October 20th, 2011:

    [...] “I’ve seen a bunch of clickjacking attacks in the wild, but I’ve never seen any attacks where the attacker iframes a SWF file from a remote domain to clickjack it – let along a SWF file as important as one that controls access to your webcam and mic!” Aboukhadijeh wrote in a blog post. [...]

  29. 29 HOW TO: Spy on the Webcams of Your Website Visitors » Feross.org | Sable Cantus said at 3:00 pm on October 20th, 2011:

    [...] HOW TO: Spy on the Web­cams of Your Web­site Vis­i­tors » Feross.org. Posted in Security | Tagged adobe | Leave a [...]

  30. 30 Rajesh Namase said at 3:20 pm on October 20th, 2011:

    Nice, Adobe fixed this issue. Gr8.

  31. 31 ADOBE TO FIX FLASH FLAW THAT ALLOWS WEBCAM SPYING » FLASH, PLAYER, ADOBE, ABOUKHADIJEH, NEWS, ADOBES » TECHNO TODAYS said at 9:38 pm on October 20th, 2011:

    [...] issue was discovered by a Stanford University computer science student named Feross Aboukhadijeh who based his [...]

  32. 32 Bug In Flash Player Allowed Mac Webcam Spying said at 10:00 pm on October 20th, 2011:

    [...] “I’ve seen a bunch of clickjacking attacks in the wild, but I’ve never seen any attacks where the attacker iframes a SWF file from a remote domain to clickjack it – let along a SWF file as important as one that controls access to your webcam and mic!” Aboukhadijeh wrote in a blog post. [...]

  33. 33 New Adobe Exploit Could Give Any Website Access To Your Webcam | Sales Intelligence said at 10:50 pm on October 20th, 2011:

    [...] Stanford computer science student named Feross Aboukhadijeh has uncovered a pretty major security hole in Adobe Flash, in which somebody could turn on your [...]

  34. 34 Machinegun Chat » Blog Archive » New Adobe Flash Exploit Could Give Any Website Access to Your Webcam [Video] said at 11:03 pm on October 20th, 2011:

    [...] Stanford computer science student named Feross Aboukhadijeh has uncovered a pretty major security hole in Adobe Flash, in which somebody could turn on your [...]

  35. 35 Adobe Change Flash Player Settings Manager To Stop Clickjacking | LIVE HACKING said at 11:05 pm on October 20th, 2011:

    [...] Aboukhadijeh, a Stanford University computer science student, found that a maliciously crafted web page could use the vulnerability for a “clickjacking” [...]

  36. 36 تيدوز » ثغرة في الفلاش تسمح بتشغيل الكاميرا said at 11:33 pm on October 20th, 2011:

    [...] الكاميراالكاتب ثمود بدر بتاريخ 21 10 2011 · إستعرض أحد طلاب علوم الحاسوب في جامعة ستانفورد ثغرة في مشغل الفلاش قد [...]

  37. 37 Mathias Bynens said at 12:11 am on October 21st, 2011:

    Honest question — how is this different from RSnake’s discoveries from back in 2008? http://www.scmagazineus.com/clickjacking-exploits-enable-hackers-to-hijack-webcams/article/119226/

    If this is the same vulnerability, I guess this is not a “quick fix” at all :)

  38. 38 Adobe promet de corriger un bug qui transforme votre webcam en Big Brother | Anti Moral Jackpot Infos sur les Arnaques, les news et astuces du web et de la vie courante said at 12:28 am on October 21st, 2011:

    [...] est-ce qu’un pirate vous espionne via votre webcam? C’est possible, via une faille découverte par Feross Aboukhadijeh dans Flash d’Adobe, qui permet à un hacker d’allumer la webcam d’un ordinateur [...]

  39. 39 Un fallo de Adobe permitía a cualquier página usar la webcam del usuario | TICbeat said at 12:49 am on October 21st, 2011:

    [...] el ejemplo mostrado por el estudiante en su blog, el ataque se realizaba mediante un falso juego, pero las posibilidades eran mayores. Además, [...]

  40. 40 Flash hace de tu Mac una cámara oculta para ti mismo - Gizmodo ES - The gadgets weblog said at 1:01 am on October 21st, 2011:

    [...] y que por ahora sólo afecta a Macs que utilicen Firefox o Safari, o sea, prácticamente todos.[Feross.org] [...]

  41. 41 Adobe to fix Flash flaw that allows webcam spying | Just Got Hacked said at 1:10 am on October 21st, 2011:

    [...] issue was discovered by a Stanford University computer science student named Feross Aboukhadijeh who based his [...]

  42. 42 Flash hace de tu Mac una cámara oculta para ti mismo - La Isla Buscada said at 1:24 am on October 21st, 2011:

    [...] Adobe por su parte ha dicho que esperan solucionarlo cuanto antes sin necesidad de tener que actualizar el player y que por ahora sólo afecta a Macs que utilicen Firefox o Safari, o sea, prácticamente todos.[Feross.org] [...]

  43. 43 eHackingNews said at 1:35 am on October 21st, 2011:

    Nice to hear that Adobe fix this vulnerability.

  44. 44 ثغرة في الفلاش تسمح بتشغيل الكاميرا said at 1:57 am on October 21st, 2011:

    [...] أضيف بواسطة أشرف لمهف | أكتوبر 21, 2011 | 0 إستعرض أحد طلاب علوم الحاسوب في جامعة ستانفورد ثغرة في مشغل الفلاش قد [...]

  45. 45 Unable to perform Translation:Quota Exceeded. Please see http://code.google.com/apis/language/translate/overview.html | PCTV said at 2:31 am on October 21st, 2011:

    [...] Stanford computer science student named Feross Aboukhadijeh has uncovered a pretty major security hole in Adobe Flash, in which somebody could turn on your [...]

  46. 46 Webcam to Spycam « Talant's def4ult Space said at 2:59 am on October 21st, 2011:

    [...] Today I read an article linking to this guys blog: http://www.feross.org [...]

  47. 47 Adobe trabaja en fallo que permitiría activar la webcam sin nuestro consentimiento | Antifraude said at 3:02 am on October 21st, 2011:

    [...] problema salió a la luz cuando Feross Aboukhadijeh, estudiante de la Universidad de Stanford, lo anunció en un post incluyendo una demo. Para poder explotar el fallo los atacantes utilizan una técnica que se ha [...]

  48. 48 Flash Player permite que activen la webcam en Mac OS X | Geek Pro said at 3:33 am on October 21st, 2011:

    [...] Fuente: Feross [...]

  49. 49 Adobe Flash Exploit Gives Websites Access To Your Webcam said at 8:40 am on October 21st, 2011:

    [...] Aboukhadijeh a computer science student at the Stanford University has uncovered a security exploit in Adobe Flash which allows an intruder to turn on your Mac’s webcam and [...]

  50. 50 Flash Player permite que activen la webcam en Mac OS X | PÁGINA WEB GRATIS y DISEÑO WEB GRATIS said at 8:45 am on October 21st, 2011:

    [...] Feross Tags: adobe, Aplicaciones, apple, chrome, firefox, Mac OS X, Navegadores, privacidad, Seguridad, [...]

  51. 51 Adobe Flash + Clickjacking: Who Could Be Watching You (or Not)? | Justia Law, Technology & Legal Marketing Blog said at 9:13 am on October 21st, 2011:

    [...] unsettling discovery by Stanford University computer science student Feross Aboukhadijeh, however, could test that theory. He says that that a malicious website using Adobe Flash, when [...]

  52. 52 ظهور ثغرة بمشغل الفلاش تسمح تشغيل الكاميرا | دقيقة تقنية said at 12:29 pm on October 21st, 2011:

    [...] المصدر  Share [...]

  53. 53 Adobe fixes Flash privacy panel so hackers can’t spy via webcams | Greediocracy said at 1:05 pm on October 21st, 2011:

    [...] days after a Stanford student revealed the vulnerability on his website. Feross Aboukhadijeh posted the exploit, along with a demo and a video demonstration, on October 18. He said in a blog post that he had [...]

  54. 54 The Sins of the Flash said at 1:28 pm on October 21st, 2011:

    [...] news stories (based on research by Stanford student Feross Aboukhadijeh) state that an Adobe bug made it possible for remote sites [...]

  55. 55 Adobe fixes Flash privacy panel so hackers can’t spy via webcams said at 2:43 pm on October 21st, 2011:

    [...] few days after a Stanford tyro suggested a disadvantage on his website. Feross Aboukhadijeh posted the exploit, along with a demo and a video demonstration, on Oct 18. He pronounced in a blog post that he had [...]

  56. 56 Adobe Fixed Vulnerability Allows Spy Through Users Webcam | SecTechno said at 3:48 pm on October 21st, 2011:

    [...] new bug has been discovered by Feross Aboukhadijeh, Stanford University computer science student and software developer. Attacker can exploit this [...]

  57. 57 The Sins of the Flash | LATEST AUTO NEWS said at 5:25 pm on October 21st, 2011:

    [...] news stories (based on research by Stanford tyro Feross Aboukhadijeh) state that an Adobe bug done it probable for remote sites to [...]

  58. 58 IT Secure Site » Blog Archive » Adobe remedies webcam spy hole in Flash said at 6:01 pm on October 21st, 2011:

    [...] though being noticed. Feross Aboukhadijeh, a tyro during Stanford University, detected a smirch and published details in his blog final [...]

  59. 59 NewsFerret Tech » Blog Archive » Adobe fixes Flash privacy panel so hackers can’t check you out said at 6:34 pm on October 21st, 2011:

    [...] days after a Stanford student revealed the vulnerability on his website. Feross Aboukhadijeh posted the exploit, along with a demo and a video demonstration, on October 18. He said in a blog post that he had [...]

  60. 60 Adobe fixes Flash privacy panel so hackers can’t check you out | Greediocracy said at 7:08 pm on October 21st, 2011:

    [...] days after a Stanford student revealed the vulnerability on his website. Feross Aboukhadijeh posted the exploit, along with a demo and a video demonstration, on October 18. He said in a blog post that he had [...]

  61. 61 El fallo de Adobe que permitía espiar a los usuarios por sus webcams | SOLO INFORMATICA, POR MANUEL MURILLO GARCIA said at 11:26 pm on October 21st, 2011:

    [...] el ejemplo mostrado por el estudiante en su blog, el ataque se realizaba mediante un falso juego, pero las posibilidades eran mayores. Además, [...]

  62. 62 Faille Flash d’Adobe : la webcam espion | UnderNews said at 11:50 pm on October 21st, 2011:

    [...] un étudiant en informatique de l’Université de Stanford aux États-Unis a publié un billet sur son blog où il explique comment grâce à une méthode de clickjacking – ou détournement de clic [...]

  63. 63 Adobe ha chiuso un bug di Flash che permetteva l’accesso alle webcam | PowerBlog.it said at 2:01 am on October 22nd, 2011:

    [...] tuttavia, il mirror di Macromedia funziona ancora e Feross Aboukhadijeh della Stanford University ha dimostrato come fosse possibile l’accesso, non autorizzato, alla webcam degli utenti. Almeno, finché Adobe [...]

  64. 64 elMisionero.net :: Diario OnLine said at 3:22 am on October 22nd, 2011:

    [...] el ejemplo mostrado por el estudiante en su blog, el ataque se realizaba mediante unfalso juego, pero las posibilidades eran mayores. Además, [...]

  65. 65 Network Security Blog » Open Tabs 10/22/11 said at 4:53 am on October 22nd, 2011:

    [...] HOW TO: Spy on the webcams of your website visitors – If the patch isn’t out already, it should be soon.  But I unhooked my webcam already.  Mostly because I leave it unconnected. [...]

  66. 66 Adobe fixes Flash privacy panel so hackers can’t check you out | Cheap Curt's said at 6:10 am on October 22nd, 2011:

    [...] days after a Stanford student revealed the vulnerability on his website. Feross Aboukhadijeh posted the exploit, along with a demo and a video demonstration, on October 18. He said in a blog post that he had [...]

  67. 67 Adobe plugs Flash webcam spy hole - I Hate Paypal » I Hate Paypal said at 8:20 am on October 22nd, 2011:

    [...] showed up on Macs when using Firefox or Safari browsers. Aboukhadijeh went on to say he went public only after he had first reported the vulnerability to Adobe through the Stanford Security Lab but [...]

  68. 68 Adobe plugs Flash webcam spy hole | My Blog said at 11:00 am on October 22nd, 2011:

    [...] showed up on Macs when using Firefox or Safari browsers. Aboukhadijeh went on to say he went public only after he had first reported the vulnerability to Adobe through the Stanford Security Lab but [...]

  69. 69 IT Secure Site » Blog Archive » Adobe Fixes Flash Flaw, and You Don’t Have to Worry said at 6:03 pm on October 22nd, 2011:

    [...] researcher Feross Aboukhadijeh discovered a smirch in Adobe Flash that could concede antagonistic users to “turn on your webcam and microphone though your believe [...]

  70. 70 Just Patched Flash Exploit Let Others Spy On You | Gizmodo Australia said at 6:31 pm on October 22nd, 2011:

    [...] Aboukhadijeh, the aforementioned Stanford student, wrote about the flaw on October 18, after unsuccessfully contacting Adobe about it. The resulting media noise from the post forced the [...]

  71. 71 Episode 501 – Weekly Wrap Up With Dr. b0n3z | InfoSec Daily said at 12:34 am on October 23rd, 2011:

    [...] Source: http://www.feross.org/webcam-spy/ [...]

  72. 72 The Sins of the Flash | Dotgreen said at 2:55 am on October 23rd, 2011:

    [...] news stories (based on research by Stanford student Feross Aboukhadijeh) state that an Adobe bug made it possible for remote sites [...]

  73. 73 El fallo de Adobe que permitía espiar a los usuarios por sus webcams « netsolone said at 8:39 am on October 23rd, 2011:

    [...] el ejemplo mostrado por el estudiante en su blog, el ataque se realizaba mediante un falso juego, pero las posibilidades eran mayores. Además, [...]

  74. 74 Super said at 7:44 am on October 24th, 2011:

    Bad news…but, the question is.. he camera light turn on too?

  75. 75 Adobe fixes Flash privacy panel so hackers can’t check you out | My Blog said at 10:24 am on October 24th, 2011:

    [...] days after a Stanford student revealed the vulnerability on his website. Feross Aboukhadijeh posted the exploit, along with a demo and a video demonstration, on October 18. He said in a blog post that he had [...]

  76. 76 Web Development articles, tutorials, help » Blog Archive » Adobe Fixes Flash Privacy Panel so Hackers Can’t Check You Out said at 11:11 am on October 24th, 2011:

    [...] days after a Stanford student revealed the vulnerability on his website. Feross Aboukhadijeh posted the exploit, along with a demo and a video demonstration, on October 18. He said in a blog post that he had [...]

  77. 77 Feross Aboukhadijeh said at 3:41 pm on October 24th, 2011:

    Hey Mathias. Fair question. As far as I know, the main difference is that RSnake’s attack iframes and clickjacks the flash permission prompt that appears in a website’s .swf file when it needs more permissions. My attack works against the actual settings .swf that resides on Adobe’s servers. I actually put the whole Flash Settings Manager into an iframe and thus could clickjack any part of it, not just the webcam/mic settings.

    Hope that explanation makes sense – if not, feel free to ask me more questions. Btw, I’ve followed your blog for a while and think you’re awesome. Thanks for the comment.

    Feross

  78. 78 Adobe Fixes Flash Privacy Panel so Hackers Can’t Check You Out | t3knoDorKs said at 5:46 pm on October 24th, 2011:

    [...] few days after a Stanford tyro suggested a disadvantage on his website. Feross Aboukhadijeh posted the exploit, along with a demo and a video demonstration, on Oct 18. He pronounced in a blog post that he had [...]

  79. 79 Mathias Bynens said at 10:19 pm on October 24th, 2011:

    Thanks for your explanation Feross, I get it now :) Nice find!

  80. 80 Durch Fehler in Flash lässt sich der Computerbenutzer über die Webcam ausspionieren « Web-Sicherheit said at 6:14 am on October 25th, 2011:

    [...] eines IFrames verhindert. Wie sich allerdings inzwischen herausstellt, lässt sich dieser Schutz umgehen. Feross Aboukhadijeh, Student der Stanford Universität, fand einen Weg, den Framebusting-Code des [...]

  81. 81 | Fremont Computer Repair said at 6:52 am on October 25th, 2011:

    [...] issue was discovered by a Stanford University computer science student named Feross Aboukhadijeh who based his [...]

  82. 82 Gyver Networks | Desktop, laptop, netbook, PC workstation hardware & software replacement & support said at 7:21 am on October 25th, 2011:

    [...] days after a Stanford student revealed the vulnerability on his website. Feross Aboukhadijeh posted the exploit, along with a demo and a video demonstration, on October 18. He said in a blog post that he had [...]

  83. 83 Adobe Flash Security | Six Lines said at 12:46 pm on October 25th, 2011:

    [...] Bellovin’s post is based on research done by Feross Aboukhadijeh at Stanford, which is worth reading if only because it is a pretty compelling case of responsible [...]

  84. 84 Ibexsi g Adobe Flash Player « Afersig said at 9:09 am on October 27th, 2011:

    [...] Tala: Ablug n Feross [...]

  85. 85 Episode 75 – mit der Extraportion Nokia » Nokia, Woche, Tipps, Google » Podcast macpcnux.net said at 3:26 pm on October 27th, 2011:

    [...] Sicherheitslücke in Flash – How to: Spy on the Webcams of your Website Visitors [...]

  86. 86 Votre webcam peut vous espionner ! | Studio Plune - Le Blog said at 2:36 am on October 31st, 2011:

    [...] : http://www.feross.org/webcam-spy/ et du site [...]

  87. 87 THE WOMAN IN BLACK « cinemaic said at 6:22 pm on October 31st, 2011:

    [...] Spy on the Webcams of Your Website Visitors (feross.org) [...]

  88. 88 iBLISS - Segurança e Inteligência said at 4:32 am on November 1st, 2011:

    [...] a notícia, publicada em 18 de outubro, por Feross Aboukhadijeh: Feross.org Ameaças, Clickjacking, [...]

  89. 89 maccad» Bug in Flash Player allows Mac webcam spying said at 10:48 am on November 1st, 2011:

    [...] “I’ve seen a bunch of clickjacking attacks in the wild, but I’ve never seen any attacks where the attacker iframes a SWF file from a remote domain to clickjack it – let along a SWF file as important as one that controls access to your webcam and mic!” Aboukhadijeh wrote in a blog post. [...]

  90. 90 maccad» Bug in Flash Player allowed Mac webcam spying said at 10:49 am on November 1st, 2011:

    [...] “I’ve seen a bunch of clickjacking attacks in the wild, but I’ve never seen any attacks where the attacker iframes a SWF file from a remote domain to clickjack it – let along a SWF file as important as one that controls access to your webcam and mic!” Aboukhadijeh wrote in a blog post. [...]

  91. 91 Webcam ClickJacking Revived | GUYA.NET said at 3:39 pm on November 1st, 2011:

    [...] weeks ago this guy managed to revive my 3 years old Webcam ClickJacking POC and also managed to revive some of the [...]

  92. 92 Webcam ClickJacking Revived | Hire Flash Developers said at 11:33 pm on November 1st, 2011:

    [...] weeks ago this guy managed to revive my 3 years old Webcam ClickJacking POC and also managed to revive some of the [...]

  93. 93 elKisin | Clickjacking + Adobe Flash = Control de webcams de manera remota said at 12:45 pm on November 8th, 2011:

    [...] http://www.feross.org/webcam-spy/@hackplayers: Clickjacking en Adobe Flash deja que te graben en vídeo: Adobe Flash Player Settings [...]

  94. 94 Jessy said at 11:20 pm on November 9th, 2011:

    Is not so easy.We need more contributing factor to open a webcam without permission

  95. 95 Falha de segurança no Flash para Mac expõe sua webcam a qualquer site « the best of net said at 2:12 pm on November 13th, 2011:

    [...] seu blog pessoal, Aboukhadijeh comentou que nunca viu um ataque desse tipo tão direto, copiando o próprio código [...]

  96. 96 Tech News » Bug in Flash Player allowed Mac webcam spying said at 9:08 pm on November 17th, 2011:

    [...] “I’ve seen a bunch of clickjacking attacks in the wild, but I’ve never seen any attacks where the attacker iframes a SWF file from a remote domain to clickjack it – let alone a SWF file as important as one that controls access to your webcam and mic!” Aboukhadijeh wrote in a blog post. [...]

  97. 97 Top web hacking techniques « -: Infosec Notes :- said at 9:12 pm on December 19th, 2011:

    [...] HOW TO: Spy on the Webcams of Your Website Visitors [...]

  98. 98 PTSec – Portal de Segurança Português » Top Ataques Web 2011 said at 7:07 pm on January 27th, 2012:

    [...] HOW TO: Spy on the Webcams of Your Website Visitors [...]

  99. 99 Vota por las principales técnicas de hacking web de 2011 | Sevilla Sec&Beer said at 12:22 am on February 17th, 2012:

    [...] HOW TO: Spy on the Webcams of Your Website Visitors [...]

  100. 100 Top Web Hacking Techniques of 2011 | MYH3R3 said at 4:12 pm on February 21st, 2012:

    [...] HOW TO: Spy on the Webcams of Your Website Visitors [...]

Leave a Reply

Fork me on GitHub