Wednesday, October 8, 2008

SpyCam Story #480 - Clickjacking ALERT

A security researcher in Israel has released a demo of a “clickjacking” attack, using an JavaScript game to turn every browser into a surveillance zombie.

The release of the demo follows last month’s partial disclosure of the cross-platform attack/threat, which affects all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

In Guy Aharonovsky’s demo game, a Web page is set up to seamlessly hide another page in the background that’s actually managing the target’s Adobe Flash Player privacy settings manager.

Using a series of clicks bouncing around the rigged page, Aharonovsky is able to silently hijack the user’s clicks to modify the Flash privacy settings and take complete control of the installed webcam.

The wet dream of every private eye and peeping tom. Imagine this scenario, you play a short game on the web and by doing that you unknowingly grant someone full access to your webcam and microphone.

If you don’t want to try it or don’t have a webcam connected, you can see the attack in action in this YouTube video.
[ SEE: Clickjacking: Scary new cross-browser exploit]
[ UPDATE: The details are out. Lots of unresolved clickjacking issues]
[Quote of the Day: "...the average end user would have no idea what’s going on during a Clickjack attack." – Ryan Naraine]

FINAL UPDATE – 10/15/08
Adobe Systems has released a new version of its Flash Player software, fixing a critical security bug that could make the Internet a dangerous place for Web surfers.

The new Flash Player 10 software, released Wednesday, fixes security flaws in Adobe's multimedia software including bugs that could allow hackers to pull off what's known as a clickjacking attack, wrote Adobe spokesman David Lenoe in a blog posting.

For those who can't update to this new version of Flash, a Flash 9 security patch is still about a month off, he added. Adobe rates the clickjacking bug as 'critical.' (more)