Industry News

Old Bug in Flash Allows Cyber-Crooks to start Webcams, Microphone

An older flaw in the Adobe Flash plugin that should have been fixed two years ago is still exploitable by cyber-criminals, leading to users getting spied on in real time via the built-in camera and microphone.

The flaw relies on the notorious click-jacking technique that allows a malicious user to disguise a transparent flash object (in this case the Privacy settings of the plugin) under a Play button, thus getting permission to stream camera and microphone input to a remote website.

The discovery was made by security researcher Egor Homakov, who built a proof-of-concept attack impersonating a picture slideshow. Playing the slideshow actually authorizes the web page to access the camera and microphone, and a picture of the user is taken. Of course, the camera led blinks, but chances are that the user won’t get that.

The exploitation technique works on Internet Explorer and Google Chrome browsers with the Adobe Flash plugin installed. It does not work on Opera 12 and Firefox 21, as they ignore the transparency settings. Nor does it work on mobile browsers, as they don’t support Flash.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.

1 Comment

Click here to post a comment