Skip to main content

Adobe promises fix for webcam-spying Flash bug

Aboukhadijeh Flash setting clickjack
Image used with permission by copyright holder

Some technology flaws don’t go away—they just get a Band-Aid applied to them that eventually falls off. Adobe says it is working on a fix to an Adobe Flash vulnerability that enables attackers to trick Flash users into turning on their microphone and/or webcams, potentially enabling attackers to visually spy on them, overhear and record conversations, and obtain sensitive information. However, unlike most zero-day Flash exploits, this one doesn’t involve the Flash plug-in itself: instead, it uses interface obfuscation techniques to get users to unwittingly change their Flash player settings using a Shockwave Flash file hosted by Adobe itself.

Re-discovered by Stanford computer science student Feross Aboukhadijeh, the attack works by loading Adobe’s own Flash Player Settings Manager directly from Adobe, then using CSS, JavaScript, or other techniques to hide most of the interface and encourage users to click in locations that will enable Flash access to a user’s webcam or microphone. The attack relies on trickery and social engineering to get users to click in the right locations, rather than exploiting a bug in the plug-in or the Flash Player Settings Manager.

The technique is similar to a webcam settings attack that surfaced back in 2008; however, in that case attackers were loading the Flash Player Settings file into an iframe (essentially, a sub-region of a Web page that can be treated like a separate page), and using trickery to get users to click the settings options there. Adobe changed their settings file so it couldn’t be loaded in an iframe, but Aboukhadijeh realized that wasn’t actually necessary: just load the settings manager directly from Adobe, and you bypass Adobe’s anti-framing JavaScript code.

Aboukhadijeh reported the problem to Adobe, and apparently received no response. However, after disclosing the problem publicly Adobe has contacted Aboukhadijeh and said they are working on a fix that will not require an update to the Flash Player. As a result, Adobe likely won’t issue a security bulletin about the vulnerability. According to CNet, Adobe says a fix could be deployed by the end of the week.

Adobe has long been criticized for using a Shockwave Flash file on its own servers to enable user control of users’ settings on their local machines. Computer security experts and privacy advocates have also noted it makes the process of monitoring and clearing “Flash cookies”—also known as Local Shared Objects—considerably more complicated than it needs to be.

Topics
Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
Using Zoom on a Mac? It may be secretly recording your audio
zoom recording audio privacy bug macos zoom1

Over the course of the pandemic, Zoom has gone from an occasionally used video calling app to an essential tool for workers all over the world. Yet according to a number of reports, a Zoom bug may be recording Mac users’ audio without their knowledge.

As reported by The Register, the issue first reared its head in late 2021, when Mac users began noticing that Zoom was recording their microphone audio, even when the app was simply open in the background and not actively conducting a call.

Read more
Miniature high-resolution webcams could soon be coming to laptops
Immervision's new small webcam module, next to a Canadian coin.

Laptops are about to get even slimmer this year, and they won't necessarily have to give up webcam quality either.

Immervision has announced a new 8-megapixel webcam sensor targeted at laptops and tablets that measures just 3.8mm thin. The module is being billed as the world's thinnest camera system for a laptop.

Read more
Anker’s all-in-one webcam/mic/light is the gizmo we all still need
anker video bar

The ongoing pandemic has thrown yet another wrench in our return-to-office plans, leaving more room for manufacturers to up the ante when it comes to remote work gear. And China-based accessory maker Anker's new Video Bar might just be all you need to look and sound your best in virtual meetings.

At CES this year, Anker unveiled the B600 Video Bar, an all-in-one videoconferencing accessory that combines a speaker, light, microphone, and webcam in a single device. It sells for a comparatively steep price -- ($220 -- but Anker hasn’t cut any corners in specifications, and the Video Bar features a laundry list of high-end components.

Read more