Skip to content
GGUYA.NET
All posts
·2 min read

Malicious camera spying using ClickJacking

Update: Adobe has fixed this issue by framebusting the Settings Manager pages. Now, 99.9% of the users are protected from this specific exploit. Congrats on…

clickjackingflash-securitygamesjavascriptsafelopersecuritysilverlight

Update: Adobe has fixed this issue by framebusting the Settings Manager pages. Now, 99.9% of the users are protected from this specific exploit. Congrats on the fast response. —-

Turn every browser into a surveillance zombie. The wet dream of every private eye and peeping tom. Imagine this scenario, you play a short game on the web and by doing that you unknowingly grant someone full access to your webcam and microphone.

I've made a live demo of it in here, this demo won't listen or record any of your input.

If you don't want to try it or don't have a webcam connected, then check out the video.

When I've first heard about ClickJacking and how Adobe is concerned about it, I thought that the Flash Player Security Dialog must have been compromised. But the Security Dialog does a good job disabling itself when you try to mess with it's visibility through DHTML. Unless there's some 0-day issue with the Dialog it's probably relatively safe.

The problem here is the Flash Player Setting Manager, this inheritance from Macromedia might be the Flash Player security Achilles heel.

I've written a quick and dirty Javascript game that exploit just that, and demonstrate how an attacker can get a hold of the user's camera and microphone. This can be used, for example, with platform like ustream, justin and alike or to stream to a private server to create a malicious surveillance platform.

I've made it as a JS game to make it easier to understand, but, bear in mind that every Flash, Java, SilverLight, DHTML game or application can be used to achieve the same thing.

Some of the clicks are real game clicks other are jacked clicks. Every time the click is needed to be jacked the content simply move behind the iframe using z-index

I had doubts about publishing this, but, if I could have understand it so are the bad guys, so it's better to know about it.

In this case Adobe could have just framebust the pages that holds the Settings Manager. There are two issues with frambusting in this case, it won't solve all cases (legacy browsers for ex) and will force Adobe to rely on javascript.

Play it here, watch it here

All posts

Related Posts

Comments (23)

Imported from the original blog

x-tenseOct 7, 2008

nice PoC :)

Josh TynjalaOct 8, 2008

Impressive. Thanks for sharing.

w0lfOct 8, 2008

This seems really wet dream for spywares :) Hope all the browser soon find a way to fix the way they handle iframe.

yehg.netOct 8, 2008

plugins are always vulnerable. Many 0days still out there :)

ElisabethOct 9, 2008

This is Dong-bin(Elisabeth) Kim and I'm a reporter of Information Security 21C, mothly magazine, and Boan news, internet daily news site.
I'm very impressed, so I'd like to introduce your PoC via our magazine.
So, if you're O.K, I'd like to capture you PoC and put it into our magazine.
Please send comment to me.

sheezOct 9, 2008

blah, this was demonstrated by a DOD security expert YEARS ago. Man, get with the times.

KugelfischOct 12, 2008

In fact, Macromedia's Framekiller does not seem to help at all, as the settings manager's flash-movie itself can still be loaded into an IFRAME. Have a quick look at this derivate of your PoC: http://kugelfisch.bplaced.n...

EugeneOct 20, 2008

looking forward for more information about this. thanks for sharing. Eugene

John aniimeNov 3, 2008

Click Jacking has long since been called by search engine marketers... u need a new term.

what click jacking really is is swapping in your own ads into someone elses page often by overlaying or using javascript or filtering their content

DecapperJan 9, 2009

Yeah I would hate for this too happen -http://www.pricelesswedding... as I would be caught pants down :)

travestiMar 9, 2010

ction, please visit the blog post of Flash developer Guy Aharonovsky, where he demonstrates in a video how a user unintentionally changes his browser’s security settings while playing a JavaScript

y8 juegosOct 31, 2010

what click jacking really is is swapping in your own ads into someone elses page often by overlaying or using javascript or filtering their content?

Enoch BorisFeb 13, 2011

Hiya! I just would like to give an enormous thumbs up for the nice data you could have here on this post. I will be coming back to your weblog for more soon.

Roshan PatelFeb 24, 2011

This article is well written and quite informative. More articles should be written and you have just found a follower. Keep posting. Flash flash flash!

Form 16Feb 26, 2011

Thanks for the article ...... nice one……
I liked very much.......

travestiMar 14, 2011

action, please visit the blog post of Flash developer Guy Aharonovsky, where he demonstrates in a video how a user unintentionally changes his browser’s security settings while playing a JavaScript

CamMay 11, 2011

Privacy goes more and more public. When we will live in Glasshouse and watch my neighboor what hes doing right now?

Mandy F.May 12, 2011

Big Brother is watching you

agriturismo abruzzoMay 13, 2011

Hey nice post and site, good work! ;-)

reiseboxMay 14, 2011

Clickjacking is a relatively new threat to Web applications for, which in its short history, but damage done several times already. I can only recommend everyone to be vigilant.

Reitsport FanJul 25, 2011

No one needs a big brother

Dan ButionlyMay 9, 2017

Why. This thing could actually help you

ichOct 16, 2011

Hey nice post and site, good work!