gfxgfx
 
Please login or register.

Login with username, password and session length
 
gfx gfx
gfx
76793 Posts in 13502 Topics by 1651 Members - Latest Member: Arnold99 November 25, 2024, 06:44:52 am
*
gfx*gfx
gfx
WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Chrome Vulnerable to Camjacking
gfx
gfxgfx
 

Author Topic: Chrome Vulnerable to Camjacking  (Read 721 times)

0 Members and 3 Guests are viewing this topic.

Chrome Vulnerable to Camjacking
« on: June 19, 2013, 12:04:11 pm »
http://www.infosecurity-magazine.com/view/33036/chrome-vulnerable-to-camjacking-

Quote
Camjacking is clickjacking aimed at taking over the PC’s webcam – and although Adobe fixed the Flash vulnerability that allows it back in 2011, it lives on in the Flash implementations of Chrome and (not verified) IE10.

The concept is basic clickjacking. It was raised by habrahabr a week ago. “In this post,” he blogged, “I tried to explain the essence of a new attack (attack itself is not new, but let us call it that) bug peculiar to OS Windows 7,8, Mac OS X. We also need Google Chrome, well, Flash. Topic will address the idea of a total surveillance, especially popular in recent days?” (Google translation from Russian).

That ‘essence’ involves superimposing a Flash image over the webcam control function, but with a transparent box in the Flash. The user sees the Flash image, but not the webcam dialog. He thinks he is pressing OK on the superimposed image, when really he is activating the webcam. The trick does not work with Firefox and Opera, which makes the Flash image opaque and shows the webcam dialog beneath it. “But IE and Chrome 27.0.1453.110 10 well treated transparency and allowed to place himself on top of the text and / or image,” notes habrahabr.

A few days later, Egor Homakov took the ‘essence’ and produced an exploit. “I made a PoC to demonstrate the severity,” he announced. “This works precisely like regular clickjacking - you click on a transparent flash object, it allows access to Camera/Audio channel. Voila, attacker sees and hears you.” The exploit is not yet stable, he warns, but was tested on Mac and Chrome. It places the suggestion of a possibly risque video over the webcam permissions dialog, with the transparent Flash box directly over the real target.

Adobe claims the vulnerability is only in the Chrome implementation of Flash and is not present in Internet Explorer. “This vulnerability affects users on Flash Player installed with Google Chrome," Adobe spokeswoman Heather Edell told the Register in an email. "Google is working to resolve the issue and plans to provide a fix this week,” she added. Google recently amended the disclosure timeline for its own security engineers from 60 days to 7 days for vulnerabilities with active exploits, suggesting that this is long enough for vendors to fix faults. It has thus obliged itself to fulfil Edell’s prediction and provide a fix this week.

Meanwhile, users can watch for unexplained flashes from their webcam LED; but that might just be too late.

WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Chrome Vulnerable to Camjacking
 

gfxgfx
gfx
©2005-2024 WinMXWorld.com. All Rights Reserved.
SMF 2.0.19 | SMF © 2021, Simple Machines | Terms and Policies
Page created in 0.008 seconds with 22 queries.
Helios Multi © Bloc
gfx
Powered by MySQL Powered by PHP Valid XHTML 1.0! Valid CSS!