Categories: HackingSecurity

Webcam hacking exploits Chrome Inbuilt Flash player for Camjacking

Researcher Egor Homakov demonstrated the possibility of Webcam hacking exploiting Chrome Inbuilt Flash player, a flaw that represents a serious threat to privacy.

Webcam hacking, hackers are increasing their interest on millions of cams that surround us. These prying eyes are everywhere, in the street as in our home, gaming consoles, smartTV and PC are all equipped with a camera.

The impressive diffusion of mobile devices equipped with web cameras makes Webcam hacking very attractive and it is considerably a serious menace for users’ privacy, these attacks are silenced and could cause serious problems. Think for an instant of the implication related to Webcam hacking made by cybercriminals or by a government for surveillance purpose, we have seen it in the movies but today it is a reality.

Let’s start from domestic webcam, the Webcam hacking is a reality according to a recent post published by Egor Homakov that highlighted a serious flaw in Google Chrome’s integrated Flash player.

Egor Homakov demonstrated that just pressing the play button a user could authorize an attacker to access his webcam giving him the possibility to capture video and audio without getting permission.

I’ve heard a hacker could access my webcam and watch me in front of my computer. Could this really happen?” YES, it is possible exploiting new Flash based flaw in Google Chrome.

This works precisely like regular clickjacking – you click on a transparent flash object, it allows access to Camera/Audio channel. Voila, attacker sees and hears you,” Homakov said.

This type of attack dubbed is known for several years as Clickjacking, a known vulnerability in Adobe Flash Player Settings Manager.

Adobe is aware of Clickjacking attacks and it resolved the flaw with a change to the Flash Player Settings Manager SWF file hosted on the Adobe website.

Differently for Camjacking attacker could hide the Flash Player security message when the flash file is trying to access a web camera or to a microphone.

According the researcher the Webcam hacking is possible exploiting an invisible Flash element present on the page, it is enough that victim using Chrome Browser clicks on it is.

“That’s what I thought as well. written a simple page with the opacity and flash container (flash requested access to the web-camera), it was observed that 21 Firefox, Opera 12.15 or ignore transparency flash animation, or just do not handle. But IE and Chrome 27.0.1453.110 10 well treated transparency and allowed to place himself on top of the text and / or image. That, no doubt, would have gone into the hands of web designers. But to remain on its laurels were just not interested, and I started to dig deeper, taking the idea of Clickjacking attack, but to remake it to fit their needs, ie to borrow all the “useful” function for the attacker. I chose access to the webcam (of course, yet we can get access to the microphone, but it was important, then?) So, I wrote a simple USB flash drive, take a picture with the help of a web camera and sends it to the server. “

Homakov verified that Webcam hacking with Camjacking doesn’t work with semi-transparent on IE.

An Adobe security team representative has confirmed the bug related only to Flash Player for Google Chrome.

Will Google solve the problem in the seven days established for fixing the bug to its products?

But the concerns do not stop at home webcam, Craig Heffner, a former software developer with the NSA declared to have discovered the previously unreported bugs in digital video surveillance equipment from firms including Cisco Systems Inc, D-Link Corp and TRENDnet.

“It’s a significant threat,”

“Somebody could potentially access a camera and view it. Or they could also use it as a pivot point, an initial foothold, to get into the network and start attacking internal systems.” said the specialist.

He announced his intention to demonstrate it during the next Black Hat hacking conference, on July in Las Vegas.

Heffner revealed that he has discovered hundreds of thousands of surveillance cameras exploitable by attackers via Internet.

This is not a movie, neither an episode of the television serie Person of Interest … This is reality and maybe the Big Brother is already exploiting it!

 

Pierluigi Paganini

(Security Affairs – Webcam hacking, Privacy)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

VeriSource data breach impacted 4M individuals

VeriSource breach exposed data of 4M people in Feb 2024; stolen info includes personal details…

2 hours ago

U.S. CISA adds Qualitia Active! Mail, Broadcom Brocade Fabric OS, and Commvault Web Server flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Qualitia Active! Mail, Broadcom Brocade Fabric OS,…

5 hours ago

The Turmoil Following BreachForums Shutdown: Confusion, Risks, and a New Beginning

BreachForums, a major data leak marketplace, shut down on April 15 after a MyBB 0-day…

15 hours ago

Earth Kurma APT is actively targeting government and telecommunications orgs in Southeast Asia

Earth Kurma APT carried out a sophisticated campaign against government and telecommunications sectors in Southeast…

16 hours ago

A large-scale phishing campaign targets WordPress WooCommerce users

A large-scale phishing campaign targets WordPress WooCommerce users with a fake security alert urging them…

1 day ago

PoC rootkit Curing evades traditional Linux detection systems

Researchers created a PoC rootkit called Curing that uses Linux’s io_uring feature to evade traditional…

1 day ago

This website uses cookies.