An older flaw in the Adobe Flash plugin that should have been fixed two years ago is still exploitable by cyber-criminals, leading to users getting spied on in real time via the built-in camera and microphone.
The flaw relies on the notorious click-jacking technique that allows a malicious user to disguise a transparent flash object (in this case the Privacy settings of the plugin) under a Play button, thus getting permission to stream camera and microphone input to a remote website.
The discovery was made by security researcher Egor Homakov, who built a proof-of-concept attack impersonating a picture slideshow. Playing the slideshow actually authorizes the web page to access the camera and microphone, and a picture of the user is taken. Of course, the camera led blinks, but chances are that the user wonâ€™t get that.
The exploitation technique works on Internet Explorer and Google Chrome browsers with the Adobe Flash plugin installed. It does not work on Opera 12 and Firefox 21, as they ignore the transparency settings. Nor does it work on mobile browsers, as they donâ€™t support Flash.