Clickjacking exploits enable hackers to hijack webcams

Share this article:

A hacker could potentially see and hear you by hijacking your webcam and microphone using clickjacking exploits and Adobe Flash, security researchers said this week.

“The bad news is with clickjacking, any computer with a microphone and/or a web camera attached can be invisibly coaxed into being a remote surveillance device,” Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, wrote on his blog Tuesday.

Grossman and fellow researcher, Robert "Rsnake" Hansen, founder and CEO of SecTheory, have been researching clickjacking since the middle of the year. They developed a proof-of-concept Flash exploit and had planned to announce it last month at the Open Web Application Security Project, Application Security (OWASP) conference in New York but held off to give Adobe time to fix the problem.

On Tuesday, Adobe issued a security advisory and said it is working to address the "critical" issue for an upcoming Flash Player update. In the meantime, Adobe issued a workaround for customers.

Grossman posted a video to his blog demonstrating how the exploit works. He told SCMagazineUS.com Wednesday that victims think they are clicking on a button, link, or something else on a web page. In reality, however, the click invokes Flash features that enable an attacker to access an attached camera and/or microphone.

“Email your target a link and there isn't really anyone you can't get to and snap a picture of,” he said.

Grossman said the exploit could be used for corporate espionage, government spying or celebrity stalking.

He said he wouldn't be surprised if he saw in-the-wild attacks start appearing in a year.

 

Share this article:

Sign up to our newsletters

More in News

Accuvant taps Coca Cola CISO Guttmann as VP

Former Coca Cola CISO Renee Guttmann has joined Accuvant's Office of the CISO.

ICO fines U.K. travel firm £150,000 for 2012 breach

Data on more than one million credit and debit cards was pilfered in the 2012 breach of a system Think W3 Limited.

Firefox 32 feature could cut undetected malware downloads 'in half'

Mozilla plans to introduce a feature in Firefox 32 that, based on preliminary testing, could cut the amount of undetected malware downloads in half.