Daily cyber threats and internet security news: network security, online safety and latest security alerts
October 7th, 2008

PC Webcams Might Be Abused Through Clickjacking To Silently Spy On Users

An Israeli security researcher has released a demo of a “clickjacking” attack, using a JavaScript game to turn every browser into a surveillance zombie. The proof-of-concept game uses a PC’s video cam and microphone to secretly spy on the player.

The release of the demo follows last month’s partial disclosure of the cross-platform attack/threat, which affects all the major desktop platforms: Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The proof of concept used Flash, but the writer went on to say that the same thing could have been achieved using Java, SilverLight, or Dynamic Hyper Text Markup Language.

The demo appears to be a simple game that tests how quickly a user can click on a series of moving targets. Behind the scenes, it combines a generic clickjacking attack with weaknesses in Adobe’s Flash technology to record the player using the PC’s video camera and microphone. Some of the clicks are real game clicks other are jacked clicks. Every time the click is needed to be jacked the content simply move behind the iframe using z-index.

The proof of concept is a powerful demonstration of the spooky implications behind clickjacking. The vulnerability allows malicious webmasters to control the links visitors click on. Once lured to a booby-trapped page, a user may think he’s clicking on a link that leads to Google – when in fact it takes him to a money transfer page, a banner ad that’s part of a click-fraud scheme, or any other destination the attacker chooses.

Another security researcher, Aviv Raff, has also built a proof-of-concept exploit using a hidden iFrame to hijack clicks to snag Twitter followers. Raff’s demo invisibly overlays a blank page over the Twitter site and sets the”Click Me!” button on the spot where Twitter’s “Follow” icon is displayed. If the target is logged into Twitter, the click on Raff’s demo is actually executed on Twitter’s site.

The idea behind these clickjacking demos can be easily exploited to make it easier to launch drive-by malware download using social engineering techniques. The list of ways this can be abused might include government spying, corporate espionage, cyber stalking, click fraud, and much more. Turning off the webcam may limit the damage, but it doesn’t remove the underlying threat.

Until the affected vendors can come up with adequate patches/mitigations, users might want to move to Firefox + NoScript to get some level of security. Adobe recently issued an advisory giving step-by-step instructions for working around the threat while a fix is pending. The company also said it expected to patch the vulnerability by the end of October. Until now, makers of Internet Explorer, Firefox, Java, Safari, SilverLight and other programs vulnerable to clickjacking have not offered any patches.

Email, Bookmark or Share:
  • E-mail this story to a friend!
  • Digg
  • StumbleUpon
  • Reddit
  • Technorati
  • Slashdot
  • Propeller
  • Google
  • Live
  • YahooMyWeb
  • TwitThis
  • Facebook
  • LinkedIn

More on CyberInsecure:
  • School District Accused Of Spying On Students In Their Homes
  • Clickjacking Exploited On Microblogging Website
  • Serves Infected Banner Ads, Malware Mechanism And Type Remain Unclear
  • Researchers discover new cross-browser exploit that affects all major desktop platforms
  • Facebook Users Can Be Forced Into Liking Arbitrary Pages Through Clickjacking

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: PC Webcams Might Be Abused Through Clickjacking To Silently Spy On Users

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.