If you're reading this on a Mac, the tiny webcam at the top of your computer could very well be watching your every move.
The problem lies in an Adobe Flash Player vulnerability that an attacker can exploit to turn on the webcams and microphones of anyone who visits a specially rigged site and spy on them without their knowledge, according to Stanford University computer science student Feross Aboukhadijeh, who discovered the bug and tested it in a proof-of-concept hack.
On his blog, Aboukhadijeh explained how he inserted an iframe, a line of Web page code that loads data from another site, over Flash Player's Website Privacy Settings panel, the part of Adobe's program used to designate which sites can access a user's camera and microphone. The panel, he discovered, is in an SWF (Shockwave Flash) format, and by loading the rigged SWF file directly into an iframe, he was able to bypass Adobe's security measures.
Aboukhadijeh created a simple JavaScript game for his proof-of-concept exploit in which the user is prompted to click on a quickly moving button that says "Click me!" While the player is clicking on the screen trying to land on the moving target, his clicks unknowingly allow the attacker to turn on the player's camera and microphone.
"I've seen a bunch of clickjacking attacks in the wild, but I've never seen any attacks where the attacker iframes a SWF file from a remote domain to clickjack it — let alone a .SWF file as important as one that controls access to your webcam and mic!" Aboukhadijeh wrote.
Aboukhadijeh notified Adobe, and Adobe said it is working on a fix for the bug that should be ready by the end of the week. Aboukhadijeh said that he disclosed the dangerous Flash vulnerability to Adobe "a few weeks ago," but never received a response. "I think it's worth sharing it with the world now, so that Adobe pays attention and fixes it more quickly," he said.
