This post in based on an interesting trick by @typicalrabbit.
UPD: This has been known since 2011, but not fixed yet. Why?! I made a PoC to demonstrate the severity.
TL;DR this works precisely like regular clickjacking - you click on a transparent flash object, it allows access to Camera/Audio channel. Voila, attacker sees and hears you.
This is not a stable exploit (tested on Mac and Chrome. I do use Mac and Chrome so this is a big deal anyway).
Your photo can be saved on our servers but we don't do this in the PoC. (Well, we had an idea to charge $1 for deleting a photo but it would not be fun for you). Donations are welcome though.
Proof of Concept (not safe for work a bit)
Wait a minute! Hire us for security stuff.
Hahaha! This is why I tape over my webcam when i am not using it ;)
ReplyDeletehahaha you r not alone
Deleteseems we are alot out there
DeleteUse an app called camera monitor. It is awesome, and you don't need tape.
DeleteThe proof of concept did not work on my work PC.
Deletelol camjamr lol
DeleteMy browser blocks this. Its a more secure version of chrome-script caleed comodo dragon but I'm gunna get some tape anyway.
Deleteopera next - doesn't work
ReplyDeletelatest chrome - works
http://i.imgur.com/a8H860i.png
ReplyDeleteChromium, Linux
So I tried this on safari for iPad . Nothing plays when I click the play button. Safe / fail?
ReplyDeleteFail, because iOS has no flash.
Deletewait, isn't that a Win?
DeleteIf you're using a Mac, that's a fail to begin with.
Deletejajaja, good one.
DeleteMacPro user here: Wouldn't the Cam light go on if you were 'clickjacked'? Perhaps any user may notice this while on their laptop.
ReplyDeleteAnd they probably will notice, but it is already too late.
DeleteTested on my MBP. Yes the light goes on, but it is momentary.
DeleteIt doesn't go on if the hacker knows what he is doing. The chrome exploit isn't the only way to access your webcam. Check out www.camjamr.com
DeleteI have Mac and Firefox, exploit is not workong. Chrome however, works... Chrome has a build in Flash player. I think that is the problem.
ReplyDeleteI never use a webcam, so I always turn it off completely trough the BIOS; problem solved. Ah, and don't forget, we need to get rid of flash :-)
ReplyDeletewow great, why don't you also disconnect your mouse so you wont accidentally click on something, and throw your keyboard away so no one can steel your password.. duhh!
DeleteTried on my Dell Inspiron that I have webcam disabled and taped over just in case. It failed. I tried on my Samsung GS2 and it failed as well. Disable services when not in use.
ReplyDeleteI am using Chrome Canary for Mac. It asks me for permission :-P The normal Chrome does not ;-)
ReplyDeletedoesnt work, i'm safe :) chromium, linux. i see a overlay window and also the access permission buttons but no 'play' button
ReplyDeleteit really works :O
ReplyDeletechrome - go to http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html and "Always deny..."
ReplyDeletethen go to http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04.html and "Always deny.."
Solved.
It asks for permission to access my camera before it activates. in IE on Windows 7
ReplyDeleteOh!, I nice guy appeared when clicking the play button. Ubuntu 13, Chrome 27.
ReplyDeleteLatest Chrome/MacOS 10.8.4 works, Safari and Firefox do not.
ReplyDeleteChrome on Ubuntu 12.04 LTS - worked. Damn.
ReplyDeletePlay Button appears with the built-in PepperFlash Player, but no image of mine showed. Also Chrome does actually notify at the URL bar, that "USB Web Camera and Microphone" are been used at the moment.
ReplyDeleteWith external flash player I have to grant permissions, after agreeing I can see the picture, the webcam made.
Tested with debian testing/sid and Google Chrome 27.0.1453.110.
This doesn't work on Internet Explorer either. IE puts up a warning that the image wants access to the camera.
ReplyDeleteWindows should use this as a scroogled commercial.
Chromium 27, Windows. Didn't work.
ReplyDeleteNice try, though :)
Nice babies! where did you find those pictures?
ReplyDeleteonline in google, just set the needed size
Deletedoesn´t work for me (Opera, Firefox, Chromium, Internet Explorer, Konqueror)... ...thats why I decided to use a hardware-switch.
ReplyDeleteThankfully if you have plug-ins disabled by default, it doesn't work at all unless you enable them on that page.
ReplyDeleteI have a MacBook Pro and I used both firefox and safari and none of them activated my camera.. the photos are keep sliding but the play button is not clickable.
ReplyDeletemaybe at chrome it will work :P
i think this app make me take more photo from my girlfriend :P
ReplyDeletesounds like your girlfriend always was called with *.jpg
DeleteDoesn't work on Samsung Galaxy S2 phone, running GB version, which supports flash, and Dolphin Browser. White empty box appears when clicking Play. :-)
ReplyDeleteOSX 10.8.4, Chrome 27.0.1453.116
ReplyDelete«http://homakov.github.io/ wants to use your camera and microphone.» http://d.pr/i/VYaI
Confirmed on Windows 7 (7601+SP1) + Chrome 27.0.1453.110 m
ReplyDeleteDoesn't ask for permission to access my camera on Windows 7 SP1 + Chrome 27.0.1453.116 m.
ReplyDeleteDoes it mean the problem hasn't been solved?
this.imgagestr = Base64.encode(this.ba);
ReplyDeleteflash.net.navigateToURL(new flash.net.URLRequest("data:image/jpeg;base64," + this.imgagestr), "_self");
how to save image to server :p
I'm a bikini model, so I'm a little concerned. I have my cam disabled in the bios and a piece of thick tape over the can itself. It still shows a picture of me in my bikini!!! Unsafe!!!!
ReplyDeleteJust go into Device Manager and disable the drivers for the camera device until you need it.
ReplyDeletesafest thing is not using chrome but chromium
ReplyDeleteyes
DeleteDoesn't work on Chrome. Asks for permission.
ReplyDeletehttp://i.imgur.com/CfBVEOd.png
fixed already
DeleteI'm on win7 with chrome 27 - it did ask for permission to use mic and cam
ReplyDeleteAfter several attempts I got asked by Chrome if I wanted to allow my camera to be used. So I guess this does not work on Windows 7/Chrome.
ReplyDeleteFYI
ReplyDeleteOpera on OsX : secure
Chrome on Osx : not secure
Opera on Fedora : not secure
Chrome on Fedora : not secure
Firefox on Fedora : secure
Thanks for sharing @homakov
I clicked every photo...nothing happened. How do we know if our laptop failed? I wish Egor explained what you should expect if your laptop fails. (Win 8, IE 10.0.9200.16660)
ReplyDeleteit's fixed by now in chrome
DeleteMain C:\Doc\uynhi78o90\src;;Main.as run Main/Main void Camera flash.media getCamera cam
ReplyDeleteits seems like u save cam pictures
It does not do anything when I click on the play button. BTW does it work if I have the webcam disabled?
ReplyDeleteHow do I know if it's working or not????
ReplyDeleteit's fixed already
Delete