Adobe plugs Flash webcam spy hole

Oct 22, 2011 by Nancy Owano report

(PhysOrg.com) -- Adobe engineers on Thursday fixed a vulnerability in its Flash software that could enable attackers to use a person’s computer webcam or microphone feeds for spying on the person. Adobe made changes to an Adobe website page that controls Flash user’s security settings. The fix did not require users to do anything more than stop shaking. A few days before the Adobe fix, Feross Aboukhadijeh, a Stanford University computer science student, had gone public with his announcement of the Adobe flaw.

He had been able to confirm a bug in the allowing the potential for such eavesdropping. Users who clicked on certain links could possibly let attackers access their Mac webcams and mics.

As far as his exploits could tell, the vulnerability showed up on Macs when using Firefox or Safari browsers. Aboukhadijeh went on to say he went public only after he had first reported the to Adobe through the Stanford Security Lab but got no reply a few weeks earlier.“I think it's worth sharing it with the world now, so that Adobe pays attention and fixes it more quickly.”

This video is not supported by your browser at this time.

What was troubling was that there were no popups or other user notifications informing him that the camera video had been activated and made accessible. In other words, eavesdropping could take place with neither the user's permission nor knowledge.Adobe contacted him soon after Aboukhadijeh published his findings in his public disclosure to say that they were working on it.

The discovery is an example of a 'clickjacking' hole--where people's webcams or microphones can be turned on without their knowledge. The Adobe flaw discovery follows a clickjacking alarm raised in 2008 by security researchers Jeremiah Grossman and Robert Hansen.

The technical term for clickjacking is user interface (UI) redressing. The trickster combines Web programming features with social engineering to entice users into initiating actions that they otherwise would not want to take.

While the discovery and subsequent fix might be seen as All's Well That Ends Well, one academic thinks this week’s incident is troubling based on what he reads between the lines.

In announcing the fix, Adobe said it was aware of a report describing a clickjacking issue related to the Flash Player Settings Manager. “We have resolved the issue with a change to the Flash Player Settings Manager SWF file hosted on the website. No user action or Flash Player product update are required." No user action or update required? That comforter is what rattles Steven Bellovin, Professor of Computer Science at Columbia University.

"Code on a remote computer somewhere decides whether or not random web sites can spy on you," he blogged in CircleID. "it's simply wrong for a design to outsource a critical access control decision to a third party. My computer should decide what sites can turn on my camera and microphone, not one of Adobe's servers."

Explore further: Watching others play video games is the new spectator sport

Related Stories

Adobe to offer Flash to iPhone developers

Oct 05, 2009

(AP) - Adobe Systems says developers for Apple's iPhone will be able to use its video-enabling software, Flash, to create applications for the device for the first time.

Intel and Adobe to Extend Flash Platform to TVs

Jan 05, 2009

Adobe Systems and Intel today announced plans to collaborate on the development to port and optimize Adobe Flash technology for the Intel Media Processor CE 3100. This effort is expected to provide consumers with richer and ...

First smart TV app developed using Adobe AIR

Oct 05, 2011

At Max 2011, Adobe’s technology developer conference, Samsung Electronics Co., Ltd, a global leader in digital media and digital convergence technologies, announced the launch of the first Smart TV application using ...

Adobe embracing Apple-favored online video format

May 19, 2010

Adobe Systems on Wednesday put aside its tiff with Apple and told thousands of software developers it is embracing the online video format preferred by the maker of iPhones, iPods and iPads.

Recommended for you

Watching others play video games is the new spectator sport

Aug 29, 2014

As the UK's largest gaming festival, Insomnia, wrapped up its latest event on August 25, I watched a short piece of BBC Breakfast news reporting from the festival. The reporter and some of the interviewees appeared baff ...

SHORE facial analysis spots emotions on Google Glass

Aug 28, 2014

One of the key concerns about facial recognition software has been over privacy. The very idea of having tracking mechanisms as part of an Internet-connected wearable would be likely to upset many privacy ...

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

PhotonX
not rated yet Oct 23, 2011
Damn, I just _knew_ all that web browsing without my pants on would come back to haunt me.
Digi
not rated yet Oct 23, 2011
Damn, I just _knew_ all that web browsing without my pants on would come back to haunt me.

Yes and the fact you were in a cyber cafe didn't help.
Mike H
not rated yet Oct 23, 2011
You seem to not understand exactly how the attack works when you claim that "a remote server can tell who can and cannot access my web cam".

They simply failed to properly protect their settings app.

Adobe in their infinite wisdom(sarcasm implied) made the settings applet a flash applet. They host it on their site because its simple and easy to update when features are changed and to make one central reference point to give to change local settings.

They protected the *page* the applet was on, but not the applet it self from being loaded in a frame.

The app still loaded and simply allowed you to edit your own local storage as if the adobe site called it. YOU changed YOUR prefs. You don't realize it because the CSS hides what is really underneath: the settings app.

Adobe does not store settings remotely!

Adobe added frame detection to their app on their site. The reason you don't need an update is because the settings app never lived locally, it always was called from remote.
Nerdyguy
1 / 5 (1) Oct 23, 2011
After manually updating Adobe products more frequently than any other product (malware scan definition files excluded), I have become convinced that they are using this as an advertising strategy.

What other "background" (e.g., Flash) product pops up on your desktop at least once a week demanding you click on their "agreement" (what a joke) in order to initiate a simple update?