Security & Privacy

Adobe fixes Flash webcam and microphone spying flaw

Posted on October 22nd, 2011 by

Related: Your Mac’s camera can be hacked

Security researcher Feross Aboukhadijeh discovered a flaw in Adobe Flash that could allow malicious users to “turn on your webcam and microphone without your knowledge or consent to spy on you.” You may not realize this, but one of the “features” in Flash is the ability for Flash objects to utilize your webcam (or iSight camera) and microphone. Ostensibly, this is so you can interact via Flash with other users, but we’ve never seen this in actual use.

It turns out that a sophisticated clickjacking technique could allow malicious users to set up a web page using CSS opacity to hide the Adobe Flash Settings Manager (a Flash object, naturally, that adjusts settings on your computer), and overlay it with buttons. When you click a button that seems to do something you want to do, the hidden Settings Manager setting gets turned on. Abjoukhadijeh has set up a demo page where you can see how this works.

Adobe has fixed their Settings Manager so this problem can no longer occur. Nevertheless, you might want to go to the Settings Manager page and, on the Global Privacy Settings tab, check Always Deny for the Camera and Microphone settings. Unless you have actually used a webcam and microphone with Flash, or plan to do so, there’s no reason for these settings to be active.