Adobe plugs Flash webcam spy hole

Oct 22, 2011 by Nancy Owano report

(PhysOrg.com) -- Adobe engineers on Thursday fixed a vulnerability in its Flash software that could enable attackers to use a person’s computer webcam or microphone feeds for spying on the person. Adobe made changes to an Adobe website page that controls Flash user’s security settings. The fix did not require users to do anything more than stop shaking. A few days before the Adobe fix, Feross Aboukhadijeh, a Stanford University computer science student, had gone public with his announcement of the Adobe flaw.

He had been able to confirm a bug in the allowing the potential for such eavesdropping. Users who clicked on certain links could possibly let attackers access their Mac webcams and mics.

As far as his exploits could tell, the vulnerability showed up on Macs when using Firefox or Safari browsers. Aboukhadijeh went on to say he went public only after he had first reported the to Adobe through the Stanford Security Lab but got no reply a few weeks earlier.“I think it's worth sharing it with the world now, so that Adobe pays attention and fixes it more quickly.”

This video is not supported by your browser at this time.

What was troubling was that there were no popups or other user notifications informing him that the camera video had been activated and made accessible. In other words, eavesdropping could take place with neither the user's permission nor knowledge.Adobe contacted him soon after Aboukhadijeh published his findings in his public disclosure to say that they were working on it.

The discovery is an example of a 'clickjacking' hole--where people's webcams or microphones can be turned on without their knowledge. The Adobe flaw discovery follows a clickjacking alarm raised in 2008 by security researchers Jeremiah Grossman and Robert Hansen.

The technical term for clickjacking is user interface (UI) redressing. The trickster combines Web programming features with social engineering to entice users into initiating actions that they otherwise would not want to take.

While the discovery and subsequent fix might be seen as All's Well That Ends Well, one academic thinks this week’s incident is troubling based on what he reads between the lines.

In announcing the fix, Adobe said it was aware of a report describing a clickjacking issue related to the Flash Player Settings Manager. “We have resolved the issue with a change to the Flash Player Settings Manager SWF file hosted on the website. No user action or Flash Player product update are required." No user action or update required? That comforter is what rattles Steven Bellovin, Professor of Computer Science at Columbia University.

"Code on a remote computer somewhere decides whether or not random web sites can spy on you," he blogged in CircleID. "it's simply wrong for a design to outsource a critical access control decision to a third party. My computer should decide what sites can turn on my camera and microphone, not one of Adobe's servers."

Explore further: Ride-sharing app Lyft expands to new markets

Related Stories

Adobe to offer Flash to iPhone developers

Oct 05, 2009

(AP) - Adobe Systems says developers for Apple's iPhone will be able to use its video-enabling software, Flash, to create applications for the device for the first time.

Intel and Adobe to Extend Flash Platform to TVs

Jan 05, 2009

Adobe Systems and Intel today announced plans to collaborate on the development to port and optimize Adobe Flash technology for the Intel Media Processor CE 3100. This effort is expected to provide consumers with richer and ...

First smart TV app developed using Adobe AIR

Oct 05, 2011

At Max 2011, Adobe’s technology developer conference, Samsung Electronics Co., Ltd, a global leader in digital media and digital convergence technologies, announced the launch of the first Smart TV application using ...

Adobe embracing Apple-favored online video format

May 19, 2010

Adobe Systems on Wednesday put aside its tiff with Apple and told thousands of software developers it is embracing the online video format preferred by the maker of iPhones, iPods and iPads.

Recommended for you

Review: 'Hearthstone' card game is the real deal

11 hours ago

Video game publishers don't take many risks with their most popular franchises. You know exactly what you are going to get from a new "Call of Duty" or "Madden NFL" game—it will probably be pretty good, ...

Microsoft expands ad-free Bing search for schools

Apr 23, 2014

Microsoft is expanding a program that gives schools the ability to prevent ads from appearing in search results when they use its Bing search engine. The program, launched in a pilot program earlier this year, is now available ...

Growing app industry has developers racing to keep up

Apr 20, 2014

Smartphone application developers say they are challenged by the glut of apps as well as the need to update their software to keep up with evolving phone technology, making creative pricing strategies essential to finding ...

Android gains in US, basic phones almost extinct

Apr 18, 2014

The Google Android platform grabbed the majority of mobile phones in the US market in early 2014, as consumers all but abandoned non-smartphone handsets, a survey showed Friday.

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

PhotonX
not rated yet Oct 23, 2011
Damn, I just _knew_ all that web browsing without my pants on would come back to haunt me.
Digi
not rated yet Oct 23, 2011
Damn, I just _knew_ all that web browsing without my pants on would come back to haunt me.

Yes and the fact you were in a cyber cafe didn't help.
Mike H
not rated yet Oct 23, 2011
You seem to not understand exactly how the attack works when you claim that "a remote server can tell who can and cannot access my web cam".

They simply failed to properly protect their settings app.

Adobe in their infinite wisdom(sarcasm implied) made the settings applet a flash applet. They host it on their site because its simple and easy to update when features are changed and to make one central reference point to give to change local settings.

They protected the *page* the applet was on, but not the applet it self from being loaded in a frame.

The app still loaded and simply allowed you to edit your own local storage as if the adobe site called it. YOU changed YOUR prefs. You don't realize it because the CSS hides what is really underneath: the settings app.

Adobe does not store settings remotely!

Adobe added frame detection to their app on their site. The reason you don't need an update is because the settings app never lived locally, it always was called from remote.
Nerdyguy
1 / 5 (1) Oct 23, 2011
After manually updating Adobe products more frequently than any other product (malware scan definition files excluded), I have become convinced that they are using this as an advertising strategy.

What other "background" (e.g., Flash) product pops up on your desktop at least once a week demanding you click on their "agreement" (what a joke) in order to initiate a simple update?

More news stories

Genetic code of the deadly tsetse fly unraveled

Mining the genome of the disease-transmitting tsetse fly, researchers have revealed the genetic adaptions that allow it to have such unique biology and transmit disease to both humans and animals.