We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Webcams and mics hijacked in 'Clickjacking' attacks

Adobe admits all Flash platforms are affected

Adobe has revealed that Clickjacking attacks may involve hackers secretly turning on a computer's microphone and web camera.

Flash on all platforms is susceptible to clickjacking attacks, Adobe said in a blog. By duping users into visiting a malicious website, hackers could hijack seemingly-innocent clicks that, in reality, would be used to grant the site access to the computer's webcam and microphone without the user's knowledge.

"This potential Clickjacking browser issue affects Adobe Flash Player's microphone and camera access dialog," said David Lenoe, the company's security program manager.

Although a patch is not ready - Lenoe said one would be issued by the end of October - Adobe's advisory listed steps users can take immediately to block webcam and microphone hijacking. Adobe recommended that users access Flash's Settings Manager using a browser to select the 'Always deny' option. Adobe rated the vulnerability as 'critical', its highest threat ranking.

According to Robert Hansen, one of the two security researchers who first raised the warning about clickjacking last month, Adobe will patch the bug in Flash 10, which already has been pegged for other fixes, including a flaw that's been used by attackers for over a month to poison clipboards with URLs to malicious sites.

Hansen noted that Macs are particularly vulnerable to the Flash clickjacking attack, since all recent Apple laptops and desktop systems include built-in cameras and microphones.

At the same time that Adobe posted its advisory, it gave Hansen and his research partner, Jeremiah Grossman, the green light to reveal clickjacking details that they had kept confidential at Adobe's request.

Hansen posted a long entry to his blog that spelled out a dozen different clickjacking attack scenarios. Two weeks ago, when they provided only a general description of clickjacking, Hansen stressed that it was not a single exploit, but a new class of exploits.

"There are multiple variants of clickjacking," Hansen said. "Some of it requires cross-domain access, some doesn't. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some requires JavaScript, some doesn't. Some variants use [cross-site request forgery] to pre-load data in forms, some don't."

See also: FAQ: Clickjacking - is your PC at risk?

Visit Security Advisor for the latest internet threat news, FREE net threat email newsletters, and internet security product reviews

IDG UK Sites

LG G4 Note UK release date and specification rumours: Samsung Galaxy Note 5 killer could be the LG 3......

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 off Retina iMac with new model