Clickjacking exploits enable hackers to hijack webcams

Share this article:

A hacker could potentially see and hear you by hijacking your webcam and microphone using clickjacking exploits and Adobe Flash, security researchers said this week.

“The bad news is with clickjacking, any computer with a microphone and/or a web camera attached can be invisibly coaxed into being a remote surveillance device,” Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, wrote on his blog Tuesday.

Grossman and fellow researcher, Robert "Rsnake" Hansen, founder and CEO of SecTheory, have been researching clickjacking since the middle of the year. They developed a proof-of-concept Flash exploit and had planned to announce it last month at the Open Web Application Security Project, Application Security (OWASP) conference in New York but held off to give Adobe time to fix the problem.

On Tuesday, Adobe issued a security advisory and said it is working to address the "critical" issue for an upcoming Flash Player update. In the meantime, Adobe issued a workaround for customers.

Grossman posted a video to his blog demonstrating how the exploit works. He told SCMagazineUS.com Wednesday that victims think they are clicking on a button, link, or something else on a web page. In reality, however, the click invokes Flash features that enable an attacker to access an attached camera and/or microphone.

“Email your target a link and there isn't really anyone you can't get to and snap a picture of,” he said.

Grossman said the exploit could be used for corporate espionage, government spying or celebrity stalking.

He said he wouldn't be surprised if he saw in-the-wild attacks start appearing in a year.

 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.