Underscoring the severity of a new class of vulnerability known as clickjacking, a blogger has created a proof-of-concept game that uses a PC's video cam and microphone to secretly spy on the player. The demo, which is available here, appears to be a simple game that tests how quickly a user can click on a series of moving …
Yet another reason to use Flashblock on Firefox (flashblock.mozdev.org). This thing utterly fails with Flashblock installed. In fact because of the way it does the div layer/iFrame/CSS/whatever trickery that hides the security stuff) you can't event stupid your way into this vulnerability with FB installed.
Actually you're better off just telling people to turn on their cameras and providing instructions. The stupid ones will just do it in order to play your "bejeweled" knock-off.
clickjacking is nothing new
I presume this is an example of clickjacking.
<a href="http://www.MyMaliciousSite.com" OnMouseOver="window.status='http://MyFriendlySite.com'; return true;" OnMouseOut="window.status=''; return true;">http://MyFriendlySite.com</a>
Doesn't work in FF with default settings. Works perfectly in IE6 I don't know about IE7 or IE8 having never used them.
Doesn't work here
Clicking the link brings me to their page briefly, then I am redirected to the Flash settings page.
Built-in laptop cams...
mean we're screwed. It's scary to think my friends could actually fall for that. Also scary realising I was sitting there topless when my webcam popped up.
Then again, I see a pretty green light when my macbook pro's cam is used :)
Nothing new here...
Same old, same old. All this is is a classic misdirect. Its a slightly fancier version of
Click here for <A href=bar>foo</A>
Where the user thinks they are going to foo and end up at bar. Add a little flash to create a little false sense of urgency and off ya go.
If its a new problem then why does my age old solution still work? Don't install flash, java or allow scripts to run. The web was made to be static. Dynamic content is for 12 year old ADD victims.
Will Symantec virus checker detect it?
I wonder, Symantec don't seem so interested in privacy judging by John Thompson (of Symantec)'s recent comments.
If the EULA of the game had buried in it that it seizes your camera and mic would Symantec take their side or side with the customers.
I'd refer you again to John Thompson's comments to see how seriously he takes your privacy.
I tried this little game and was immediately asked by my Adobe flash plugin (which is the latest version btw) whether or not I wanted to allow it access to my webcam and mic (Privacy settings ftw!!).
I clicked "Allow" and was immediately prompted by my firewall/security suite that the Adobe plugin was attempting to to use a dll to access my webcam (and then a subsequent one for my mic) and whether i should deny or allow.
I don't think this is going to work on a lot of people. I think Vista will also question this type of behaviour if you have Windows Defender and UAC activated (need to test this).
Well... You can be somewhat safer with a little common sense.
Let's say you've been browsing the web. You think you may have been clickjacked, but so far all you've done is check out The Register and JibJab. So far, so good.
But you'd like to check something that requires a login, like maybe one of your online accounts.
Shut down your browser. Use Firefox's tool for deleting all your personal info and clear it ALL out, including cookies. Mine is set up to do this automatically whenever I close the browser, and to get confirmation from me so I can see that it's doing it.
Once the browser is entirely closed down, open a new browser instance and do your secure browsing in a new session. When you're done, again close the browser all the way down.
As long as you do sensitive things in their own, squeaky-clean sessions, I don't think you can be clickjacked in any mortally dangerous way.
I could be wrong, but...
An explanation might be nice
For the first time, I've read a Reg story I've been unable to follow. I might have been able to follow it, were it not for the fact that the article doesn't actually explain what ClickJacking is or how it works. It says that anybody with a website can direct you to a given page... but I can do that - by putting links on my website that point there.
Why does Flash need to be able to access system files in the first place? Oh, that's right, Web 2.0. Hmmm. If a web application cannot be built without needing to access system files, then it's not a web application ... its a system application that uses web delivery.
This is a perfect example (among many others regarding Flash and even Java) of why there should be separation between web applications and traditional applications. Since the underlying OS is largely responsible for maintaining security, applications that build on that must be able to ameliorate security issues that the OS does not deal with, or which are not security issues, when run in any other scenario (i.e. running a localized app).
Clickjacking is not quite as simple as the examples given above (i.e. different href value than the displayed link value), and enabling such behavior by including system-deep access for a third party, web-deployable app is bad practice. Just because Adobe wants you to be able to access the system to increase the perceived value of their little toy* does not mean that it's a good idea.
*I've been programming with Flash since it was in virtual beta (FutureSplash), and the directions it has taken under Adobe's guidance is disturbing and unnecessary.
I USE LYNX ON DOS
RUN OUT OF ROM ON MY SPECIAL CUSTOM PICAXE COMPUTER. UPPERCASE TEXT ONLY BUT IM SAFE FROM THEM HACK0RZ.
ALL YOUR PICAXES IS BELONG TO US!!
All major browsers
I guess Opera users are safe, then.
There are some problems with your comment: * A title is required.
If it could activate my webcam without the little green LED beside the lens coming on I'd be worried.
I myself only have a crazy cat, and as far as I know he does not surf the web when I'm out.
But seeing so many of my friends and colleagues having kids, who are growing kinda fast... That's trouble. Them kidz love those Flash games, and I doubt many of them will be as savvy as the regular Reg reader to notice that things are not quite right in some site or the like. Anyway, another reason for the parents to keep a close eye on computer use, it would seem.
RE: Nothing new here...
Its a slightly fancier version of Click here for <A href=bar>foo</A>
Where the user thinks they are going to foo and end up at bar.
Quite right. I can't begin to tell you how many times I have gone out in search of foo, and wound up at the bar.
"[...] proof of concept used Flash, but the writer went on to say that the same thing could have been achieved using Java, SilverLight, or Dynamic Hyper Text Markup Language"
You should add SVG to the list of potential vectors. I haven't read any warnings about actual attacks, but I predict it will be exploited given time. To be honest, I'm surprised it hasn't been used as an attack vector yet, especially considering that as an SVG file is generally going to be embedded using an <IMG> tag, it neatly sidesteps blog sanitisation checks that strip <SCRIPT> tags. Someone ought to do an article about SVG risks (hint hint).
I didn't think that DOS would run on a PICAXE- you must be an incredibly l33t and secure hAx0r yourself!
Dynamic content isn't just for 12 year olds with ADD. Flash / Java etc let you have a far more polished looking system than static HTML. Though these should be kept entirely separate from the "host" system. Otherwise you'll end up with "Windows Only Java" and "TuxFLASH".
Didn't Google announce a while back that it can now search and index Flash files? Couldn't you use their Search function to look for "suspicious" code in DHTML/Flash/etc?
Haven't tried it on Firefox - but in Google Chrome and IE6 on a fully patched XP Pro SP3 system, the demo site loads up for half a second then redirects to Adobe's Flash Player Settings Manager page at macromedia.com
Even if this did work, I'd love to see it remove the lens cap on my webcam =P
Is Linux vulnerable?
I use Linux and Firefox with flashblock. Alas, I don't have a webcam, so I can't test it myself. It's not so much, in this case, that I think Linux's security is better, it's just sufficiently different from the Windows model that I can't judge from what's in the article. If anybody tries this with Linux, please post your experience.
MacBook with FF3, I don't understand. If I move my mouse about I see a ghosted image of a security box for flash, but thats about it...Im guessing this is an IE thing, I'll try at work tomorrow..
This is why
I've always thought that mic's and camera's built into computers should have a "physical" on/off switch, not a "soft" on/off switch.
Hijacking a computers camera/mic has been around for a long time. Trojan software has been available for years that does this, this is merely a new vector for an old hack.
I guess I wasted 6 bucks ...
... when I bought my new laptop. 70% of the time, I'm using a monitor, keyboard and mouse and the lid is closed. So all he'd get would be a nice view of the keyboard frame.
I shudder to think, however, what kind of images someone might snatch. I'm "visualizing" pimply 40 year old guys sitting around in their underwear, playing "that hot new game". My eyes, my eyes!!!!!!!!!
I don't have a webcam, but my microphone has a real on/off right on it. I always keep it in the off position unless I'm using it for no other reason than the fact I like hitting the switch.
Paris, because she does have a webcam she doesn't turn off at "bedtime."
Just run a virtual machine, vmware player have a nixed based firefox image.
No, no smugness here. Genuine question: does anyone know for certain if Linux is safe from this? I mean FF with Swfdec is a good start because no Flash content will even play until I request it. I do have a webcam though. Might try it out.
Man, I do love the Grumpy Old Man approach. "Brragh, graaa, nothing new should ever be developed, rarrrgh, everything dynamic is horrible and useless, fraaarrgggh, nyarrr, I deny the existence of PHP, mumble, grumble..."
... telling the user they are going one place and sending them to another... isn't that how the internet works, telling them a nice friendly url like bbc.com and then directing them to bbc.co.uk
Also as soon as flash had access to mic and cam there is now a security box to tick to say allow it.
I really dont see how this is even a security flaw.. being able to see people at the computer does not give their bank details, in fact you likely to be scared for life depending on the time of day you may look.
Now a few more words:
Seriously... Not using your webcam, put a lens cap on it, you won't have to tit about with cotton wool buds cleaning it half as much. Also mute the mixer on your microphone when you aren't using it, this can only be good practice.
death of a buzzword...
"Dynamic Hyper Text Markup Language" does this herald the death of the use of AJAX to describe dhtml, and a reversion back to calling a spade a spade?
if so i will be happy, cus im sick of clients asking for AJAX based sites whilst catagorically stating that they dont want DHTML
"I myself only have a crazy cat, and as far as I know he does not surf the web when I'm out."
I had a cat that used to chat on IRC when I was out of the house. People in the channel were quite used to it and used to greet him and occasionally converse with him. He never launched botnets or the like, so for that at least I am grateful.
This is why
I have used flashblock and noscript since they launched. I also use Linux for banking, general surfing and windows when I need to run certain apps.
I have always loathed flash and the security issues that keep popping up with it. If a site uses flash I hit the back button and go to a competitor's site instead. Always have, always will!
I can imagine some Phorm of technology that could alter links as they come phrom a website. If you you think of some reason to get one of the big ISP's to pass all their user traffic through your server then you would be able to do this to any website.
Myself, I can't imagine that it would be legal to alter traffic from websites at the ISP. If it was I am sure all the users would boycot it.
A truely simple solution
Put blue tac over the camera lense.
Rickroll through a loopback into your microphone socket.
Cool game ...
"This game demonstrate how the user's camera and microphone can be spied uppon [sic] without her knowing."
Paris, cos I believe she may have fallen for this before now.
Maone, the man with a plan.
Dan, if your Noscript extension had been enabled you would by now have received the latest update to version 220.127.116.11 This version includes Clearclick, Giorgio Maone's anti-clickjacking technology.
Noscript elevates Firefox from excellent to magnifico!
@Steve Hunter - damn right!
Been advising people to install FB immediately after installing FF, for ages. It's by far the best plugin ever, not only saves on bandwidth, by stopping all those stupid Flash ads but also sops crap like this and allows you to choose if you want to run the flash in question, then the owness is on you to action the start of the Flash. FB should be built into FF by Mozilla!
That's all we need!
Combine that with the current attempt at "Phormjacking" & what do we get?.
We really do need a revised http Protocol & dns protocol to protect users data safety!
@Phil Well... You can be somewhat safer with a little common sense
Flash doesn't store stuff in firefox it uses its own settings.
Those with script blockers won't see the wonderful world of t'internet.
Not only does it highjack your webcam ...
... it does a great job of giving you RSI ...
Re: Will Symantec virus checker detect it?
Its Symantec, they're probably behind it like most viruses.
Bloody Norton fan boys. Shoot them all.
Another use for privoxy
I thought keiron was a guy's name?
Why would it matter if you were topless, lol?
Anyway, just cover the laptop's camera when not in use. A sticker would even work. Common sense, and if I had a built in laptop cam I would be suspicious of it looking at me all the time even if I didn't know about peeping toms.
Now does that mean that they can view through the camera while it's in use or only jack it when it's off? (argh, was that a pun..) I remember hearing a similar story this years ago.
Just because you are a boring old fogie Eddie, does not mean everyone is like you. 99% of people use the stuff and most of the time it is safe. Don't call new technology bad and evil because someone managed to exploit it. It's part of life, has major benefits and there are many ways to prevent or patch problems. I'm surprised you know how to turn a computer on.
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Trousers down for six of the best affordable Androids
- Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
- Product round-up Ten excellent FREE PC apps to brighten your Windows