Hackers can remote control your webcam and mic, Adobe issues ‘critical’ advisory

Posted by Humphrey Cheung

San Jose (CA) – Adobe has issued a “critical” security alert to users of its Flash player.  The company warns people that hackers can mislead people into clicking on link that can then remotely control the user’s webcam and microphone.  Adobe’s security warning comes on the heels of recently released proof of concept code which shows the attack in action.

The attack, dubbed ClickJacking, uses Javascript and other scripting language to fool a user into clicking on invisible links that are obscured by graphic elements or other windows.  The user thinks he’s clicking on an innocuous box or game element, but in fact that click is being transmitted to another frame.  Such attacks have been around for ages on the Internet, but this appears to be the first time Adobe Flash has been targeted.

Guy Aharonovsky has released proof of concept code that demonstrates the attack and you can view that page by clicking here.  In the demo, the user is presented with a simple game that forces the user to click around the screen.  Unfortunately there’s an invisible iFrame under the primary screen and some of those clicks are actually opening other websites and dialogue boxes.  This eventually leads to the user’s webcam and microphone being taken over.  Mr. Aharonovsky promises that his demo doesn’t actually record any information, but you can view his YouTube video of the demo if you are concerned about your browser’s safety.


Adobe’s advisory gives credit to five researchers including Jeremiah Grossman and Robert Hansen from WhiteHat Security.  The pair was supposed to give a presentation about the vulnerability at the AppSec conference in New York City last month, but cancelled it at Adobe’s request.  Mr. Hansen has since published more details about the vulnerability on his blog.

All Adobe Flash Player versions Adobe Flash Player 9.0.124.0 and earlier are vulnerable and the company advises people to go in the Flash Player setting menu and select “Always deny” in the Global Privacy Settings panel.  This will always deny the microphone and webcam and should be considered a temporary workaround while Adobe researches a more permanent solution.