Clickjacking exploits enable hackers to hijack webcams

A hacker could potentially see and hear you by hijacking your webcam and microphone using clickjacking exploits and Adobe Flash, security researchers said this week.

“The bad news is with clickjacking, any computer with a microphone and/or a web camera attached can be invisibly coaxed into being a remote surveillance device,” Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, wrote on his blog Tuesday.

Grossman and fellow researcher, Robert "Rsnake" Hansen, founder and CEO of SecTheory, have been researching clickjacking since the middle of the year. They developed a proof-of-concept Flash exploit and had planned to announce it last month at the Open Web Application Security Project, Application Security (OWASP) conference in New York but held off to give Adobe time to fix the problem.

On Tuesday, Adobe issued a security advisory and said it is working to address the "critical" issue for an upcoming Flash Player update. In the meantime, Adobe issued a workaround for customers.

Grossman posted a video to his blog demonstrating how the exploit works. He told SCMagazineUS.com Wednesday that victims think they are clicking on a button, link, or something else on a web page. In reality, however, the click invokes Flash features that enable an attacker to access an attached camera and/or microphone.

“Email your target a link and there isn't really anyone you can't get to and snap a picture of,” he said.

Grossman said the exploit could be used for corporate espionage, government spying or celebrity stalking.

He said he wouldn't be surprised if he saw in-the-wild attacks start appearing in a year.