An older flaw in the Adobe Flash plugin that should have been fixed two years ago is still exploitable by cyber-criminals, leading to users getting spied on in real time via the built-in camera and microphone.
The flaw relies on the notorious click-jacking technique that allows a malicious user to disguise a transparent flash object (in this case the Privacy settings of the plugin) under a Play button, thus getting permission to stream camera and microphone input to a remote website.
The discovery was made by security researcher Egor Homakov, who built a proof-of-concept attack impersonating a picture slideshow. Playing the slideshow actually authorizes the web page to access the camera and microphone, and a picture of the user is taken. Of course, the camera led blinks, but chances are that the user won`t get that.
The exploitation technique works on Internet Explorer and Google Chrome browsers with the Adobe Flash plugin installed. It does not work on Opera 12 and Firefox 21, as they ignore the transparency settings. Nor does it work on mobile browsers, as they don`t support Flash.
tags
A blend of product manager and journalist with a pinch of e-threat analysis, Loredana writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair.
View all postsNovember 14, 2024
September 06, 2024