Clickjacking exploits enable hackers to hijack webcams

Share this article:

A hacker could potentially see and hear you by hijacking your webcam and microphone using clickjacking exploits and Adobe Flash, security researchers said this week.

“The bad news is with clickjacking, any computer with a microphone and/or a web camera attached can be invisibly coaxed into being a remote surveillance device,” Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, wrote on his blog Tuesday.

Grossman and fellow researcher, Robert "Rsnake" Hansen, founder and CEO of SecTheory, have been researching clickjacking since the middle of the year. They developed a proof-of-concept Flash exploit and had planned to announce it last month at the Open Web Application Security Project, Application Security (OWASP) conference in New York but held off to give Adobe time to fix the problem.

On Tuesday, Adobe issued a security advisory and said it is working to address the "critical" issue for an upcoming Flash Player update. In the meantime, Adobe issued a workaround for customers.

Grossman posted a video to his blog demonstrating how the exploit works. He told SCMagazineUS.com Wednesday that victims think they are clicking on a button, link, or something else on a web page. In reality, however, the click invokes Flash features that enable an attacker to access an attached camera and/or microphone.

“Email your target a link and there isn't really anyone you can't get to and snap a picture of,” he said.

Grossman said the exploit could be used for corporate espionage, government spying or celebrity stalking.

He said he wouldn't be surprised if he saw in-the-wild attacks start appearing in a year.

 

Share this article:

Sign up to our newsletters

More in News

Hackers deliver Kelihos to users sympathetic to Russian 'cause'

Hackers deliver Kelihos to users sympathetic to Russian ...

Playing off the Ukraine conflict, a Kelihos campaign promises victims software to help the Russian cause but delivers malware instead.

Study shows how attackers make use of websites existing for less than 24 hours

Study shows how attackers make use of websites ...

Looking at the top 50 of parent domains that produced websites existing for less than 24 hours, researchers with Blue Coat Security Labs observed that 22 percent were malicious.

Phishing campaign lures victims with models' photos

Two nude models' photos reeled in unsuspecting victims who handed over their Facebook logins to gain access to adult material.