Explore Newsletters from ECT News Network » View Samples | Subscribe
Welcome Guest | Sign In
Women in Tech

Creepy Clickjacking Bug Lets Hackers Control Webcams

By Walaika Haskins TechNewsWorld ECT News Network
Oct 8, 2008 4:07 PM PT

Software maker Adobe issued a security advisory Tuesday warning users of its Adobe Flash Player about a vulnerability that could expose them to so-called clickjacking attacks.

Creepy Clickjacking Bug Lets Hackers Control Webcams

Adobe has rated the issue as "critical." The vulnerability is pervasive, affecting all major browsers including Microsoft's Internet Explorer, Apple's Safari and Mozilla's Firefox.

While Adobe has not issued a patch for the bug, it has included a workaround in the advisory. The company hopes to address the vulnerability in an upcoming Flash Player update, scheduled for release by the end of October.

Adobe credits security researchers Robert Hansen of SecTheory, Jeremiah Grossman of WhiteHat Security, Eduardo Vela and Matt Mastracci of DotSpots as well as Liu Die Yu for reporting the vulnerability.

Hijacking Clicks

Clickjacking has been around for a while, according to Chris Rodriguez, an analyst at Frost & Sullivan.

"[Clickjacking] comes in many different forms. It has been greatly overlooked by the security community and the criminal community alike. Recently, researchers have demonstrated the dangers of this threat through an Adobe Flash Player vulnerability that would allow an attacker to gain control of a user's microphone and webcam," he told TechNewsWorld.

The exploited vulnerability poses a risk when an attacker is able to trick a user into unwittingly clicking on a link or dialog, according to Adobe.

Clickjacking is usually done by using invisible buttons to get a user to click on something unintentionally, Rodriguez explained.

"However, Adobe's security bulletin is in response to some really nefarious stuff that has been a hot topic lately. Someone has figured out how to use clickjacking to gain access to the user's microphone and webcam. Now that's some scary stuff," he continued.

Celebrity Vulnerabilities

The problem with this and other high-profile security flaws is that they "are quickly weaponized -- in as little as a week, or less," said Rodriguez.

"More importantly, Adobe has only provided a workaround and has not released a patch. Even when a fix is available, Adobe Flash updates are not usually a part of enterprise patch management cycles. We expect that Adobe is working around the clock to fix this problem and until then, users are at risk unless they research, understand and take the recommended measures against this threat," he added.

As Web browsers become more advanced, these types of threats will continue, according to Phil Hochmuth, a Yankee Group analyst.

"As browsers continue to take on the role of traditional desktop applications, and even desktop operating environments, the increased complexity of plug-ins and browser enhancement tools will no doubt lead to more exploitable flaws and vulnerabilities," he told TechNewsWorld.

digital to-do list for turning customers into fans
How important is the availability of curbside service when you consider a physical store to do your shopping?
Critically Important - I will not shop at an establishment that does not provide curbside service.
Quite Important - During the pandemic I prefer not to go inside a physical location. Still, I will consider a business that does not offer curbside service.
Somewhat Important - I like a curbside option, but itís not part of my decision-making process when I choose where to shop.
Not Important - I do not use curbside pickup. When I go out to shop I want to select everything myself.
Women in Tech