Adobe is working on a Flash related Webcam spying bug

The problem is in the Flash Player that allows any website to turn on your webcam and microphone without your knowledge to spy on you.

Adobe is working to fix a bug related to Flash player vulnerability that could be used by some sites to activate the microphone or webcam users without their knowledge. The problem seems to be in the Flash Player Settings Manager on Adobe’s servers and not in the software or the computers of users who, insured from the company.

“Engineers are working to fix the problem,” said Wiebke Lips, company spokesperson in an email. She also explained that the matter does not require any action by the user and no security bulletin will be provided to solve the problem. The vulnerability could be solved by the end of this week, says Lips.

The problem came to light when Feross Aboukhadijeh, a student at Stanford University, announced this bug in a post including a demo. In order to exploit the flaw, attackers use a technique called “Clickjacking” that has become very popular on the sites like Facebook or Twitter. “Clickjacking” involves hiding code to fool people and when you click on a page area that you believe that is normal, something unusual happens. For instance, in this case, users could click on a series of buttons (Facebook like button or repost button) and inadvertently activate the camera or microphone.

Aboukhadijeh Feross said in his post that while all browsers and operating systems are susceptible to this attack, “the process of activating the webcam requires multiple clicks”, making it somewhat difficult to get to an attacker.

Source: cnet.com