Adobe plugs Flash webcam spy hole

Oct 22, 2011 by Nancy Owano report

( -- Adobe engineers on Thursday fixed a vulnerability in its Flash software that could enable attackers to use a person’s computer webcam or microphone feeds for spying on the person. Adobe made changes to an Adobe website page that controls Flash user’s security settings. The fix did not require users to do anything more than stop shaking. A few days before the Adobe fix, Feross Aboukhadijeh, a Stanford University computer science student, had gone public with his announcement of the Adobe flaw.

He had been able to confirm a bug in the allowing the potential for such eavesdropping. Users who clicked on certain links could possibly let attackers access their Mac webcams and mics.

As far as his exploits could tell, the vulnerability showed up on Macs when using Firefox or Safari browsers. Aboukhadijeh went on to say he went public only after he had first reported the to Adobe through the Stanford Security Lab but got no reply a few weeks earlier.“I think it's worth sharing it with the world now, so that Adobe pays attention and fixes it more quickly.”

This video is not supported by your browser at this time.

What was troubling was that there were no popups or other user notifications informing him that the camera video had been activated and made accessible. In other words, eavesdropping could take place with neither the user's permission nor knowledge.Adobe contacted him soon after Aboukhadijeh published his findings in his public disclosure to say that they were working on it.

The discovery is an example of a 'clickjacking' hole--where people's webcams or microphones can be turned on without their knowledge. The Adobe flaw discovery follows a clickjacking alarm raised in 2008 by security researchers Jeremiah Grossman and Robert Hansen.

The technical term for clickjacking is user interface (UI) redressing. The trickster combines Web programming features with social engineering to entice users into initiating actions that they otherwise would not want to take.

While the discovery and subsequent fix might be seen as All's Well That Ends Well, one academic thinks this week’s incident is troubling based on what he reads between the lines.

In announcing the fix, Adobe said it was aware of a report describing a clickjacking issue related to the Flash Player Settings Manager. “We have resolved the issue with a change to the Flash Player Settings Manager SWF file hosted on the website. No user action or Flash Player product update are required." No user action or update required? That comforter is what rattles Steven Bellovin, Professor of Computer Science at Columbia University.

"Code on a remote computer somewhere decides whether or not random web sites can spy on you," he blogged in CircleID. "it's simply wrong for a design to outsource a critical access control decision to a third party. My computer should decide what sites can turn on my camera and microphone, not one of Adobe's servers."

Explore further: Hackathon team's GoogolPlex gives Siri extra powers

Related Stories

Adobe to offer Flash to iPhone developers

Oct 05, 2009

(AP) - Adobe Systems says developers for Apple's iPhone will be able to use its video-enabling software, Flash, to create applications for the device for the first time.

Intel and Adobe to Extend Flash Platform to TVs

Jan 05, 2009

Adobe Systems and Intel today announced plans to collaborate on the development to port and optimize Adobe Flash technology for the Intel Media Processor CE 3100. This effort is expected to provide consumers with richer and ...

First smart TV app developed using Adobe AIR

Oct 05, 2011

At Max 2011, Adobe’s technology developer conference, Samsung Electronics Co., Ltd, a global leader in digital media and digital convergence technologies, announced the launch of the first Smart TV application using ...

Adobe embracing Apple-favored online video format

May 19, 2010

Adobe Systems on Wednesday put aside its tiff with Apple and told thousands of software developers it is embracing the online video format preferred by the maker of iPhones, iPods and iPads.

Recommended for you

Hackathon team's GoogolPlex gives Siri extra powers

10 hours ago

( —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Microsoft CEO is driving data-culture mindset

Apr 16, 2014

( —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Oct 23, 2011
Damn, I just _knew_ all that web browsing without my pants on would come back to haunt me.
not rated yet Oct 23, 2011
Damn, I just _knew_ all that web browsing without my pants on would come back to haunt me.

Yes and the fact you were in a cyber cafe didn't help.
Mike H
not rated yet Oct 23, 2011
You seem to not understand exactly how the attack works when you claim that "a remote server can tell who can and cannot access my web cam".

They simply failed to properly protect their settings app.

Adobe in their infinite wisdom(sarcasm implied) made the settings applet a flash applet. They host it on their site because its simple and easy to update when features are changed and to make one central reference point to give to change local settings.

They protected the *page* the applet was on, but not the applet it self from being loaded in a frame.

The app still loaded and simply allowed you to edit your own local storage as if the adobe site called it. YOU changed YOUR prefs. You don't realize it because the CSS hides what is really underneath: the settings app.

Adobe does not store settings remotely!

Adobe added frame detection to their app on their site. The reason you don't need an update is because the settings app never lived locally, it always was called from remote.
1 / 5 (1) Oct 23, 2011
After manually updating Adobe products more frequently than any other product (malware scan definition files excluded), I have become convinced that they are using this as an advertising strategy.

What other "background" (e.g., Flash) product pops up on your desktop at least once a week demanding you click on their "agreement" (what a joke) in order to initiate a simple update?

More news stories

White House updating online privacy policy

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to, mobile apps and social media sites. It also clarifies that ...

Hackathon team's GoogolPlex gives Siri extra powers

( —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Scientists tether lionfish to Cayman reefs

Research done by U.S. scientists in the Cayman Islands suggests that native predators can be trained to gobble up invasive lionfish that colonize regional reefs and voraciously prey on juvenile marine creatures.

Six Nepalese dead, six missing in Everest avalanche

At least six Nepalese climbing guides have been killed and six others are missing after an avalanche struck Mount Everest early Friday in one of the deadliest accidents on the world's highest peak, officials ...

Better thermal-imaging lens from waste sulfur

Sulfur left over from refining fossil fuels can be transformed into cheap, lightweight, plastic lenses for infrared devices, including night-vision goggles, a University of Arizona-led international team ...