Clickjacking exploits enable hackers to hijack webcams

Share this article:

A hacker could potentially see and hear you by hijacking your webcam and microphone using clickjacking exploits and Adobe Flash, security researchers said this week.

“The bad news is with clickjacking, any computer with a microphone and/or a web camera attached can be invisibly coaxed into being a remote surveillance device,” Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, wrote on his blog Tuesday.

Grossman and fellow researcher, Robert "Rsnake" Hansen, founder and CEO of SecTheory, have been researching clickjacking since the middle of the year. They developed a proof-of-concept Flash exploit and had planned to announce it last month at the Open Web Application Security Project, Application Security (OWASP) conference in New York but held off to give Adobe time to fix the problem.

On Tuesday, Adobe issued a security advisory and said it is working to address the "critical" issue for an upcoming Flash Player update. In the meantime, Adobe issued a workaround for customers.

Grossman posted a video to his blog demonstrating how the exploit works. He told SCMagazineUS.com Wednesday that victims think they are clicking on a button, link, or something else on a web page. In reality, however, the click invokes Flash features that enable an attacker to access an attached camera and/or microphone.

“Email your target a link and there isn't really anyone you can't get to and snap a picture of,” he said.

Grossman said the exploit could be used for corporate espionage, government spying or celebrity stalking.

He said he wouldn't be surprised if he saw in-the-wild attacks start appearing in a year.

 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.