Thursday, June 13, 2013

Camjacking: Click and say Cheese

on reddit/HN
This post in based on an interesting trick by @typicalrabbit.

UPD: This has been known since 2011, but not fixed yet. Why?! I made a PoC to demonstrate the severity.

TL;DR this works precisely like regular clickjacking - you click on a transparent flash object, it allows access to Camera/Audio channel. Voila, attacker sees and hears you.

This is not a stable exploit (tested on Mac and Chrome. I do use Mac and Chrome so this is a big deal anyway).

Your photo can be saved on our servers but we don't do this in the PoC. (Well, we had an idea to charge $1 for deleting a photo but it would not be fun for you). Donations are welcome though.

Proof of Concept (not safe for work a bit)

Wait a minute! Hire us for security stuff.

57 comments:

  1. Hahaha! This is why I tape over my webcam when i am not using it ;)

    ReplyDelete
    Replies
    1. hahaha you r not alone

      Delete
    2. seems we are alot out there

      Delete
    3. Use an app called camera monitor. It is awesome, and you don't need tape.

      Delete
    4. The proof of concept did not work on my work PC.

      Delete
    5. My browser blocks this. Its a more secure version of chrome-script caleed comodo dragon but I'm gunna get some tape anyway.

      Delete
  2. opera next - doesn't work
    latest chrome - works

    ReplyDelete
  3. http://i.imgur.com/a8H860i.png
    Chromium, Linux

    ReplyDelete
  4. So I tried this on safari for iPad . Nothing plays when I click the play button. Safe / fail?

    ReplyDelete
    Replies
    1. Fail, because iOS has no flash.

      Delete
    2. wait, isn't that a Win?

      Delete
    3. If you're using a Mac, that's a fail to begin with.

      Delete
    4. jajaja, good one.

      Delete
  5. MacPro user here: Wouldn't the Cam light go on if you were 'clickjacked'? Perhaps any user may notice this while on their laptop.

    ReplyDelete
    Replies
    1. And they probably will notice, but it is already too late.

      Delete
    2. Tested on my MBP. Yes the light goes on, but it is momentary.

      Delete
    3. It doesn't go on if the hacker knows what he is doing. The chrome exploit isn't the only way to access your webcam. Check out www.camjamr.com

      Delete
  6. I have Mac and Firefox, exploit is not workong. Chrome however, works... Chrome has a build in Flash player. I think that is the problem.

    ReplyDelete
  7. I never use a webcam, so I always turn it off completely trough the BIOS; problem solved. Ah, and don't forget, we need to get rid of flash :-)

    ReplyDelete
    Replies
    1. wow great, why don't you also disconnect your mouse so you wont accidentally click on something, and throw your keyboard away so no one can steel your password.. duhh!

      Delete
  8. Tried on my Dell Inspiron that I have webcam disabled and taped over just in case. It failed. I tried on my Samsung GS2 and it failed as well. Disable services when not in use.

    ReplyDelete
  9. I am using Chrome Canary for Mac. It asks me for permission :-P The normal Chrome does not ;-)

    ReplyDelete
  10. doesnt work, i'm safe :) chromium, linux. i see a overlay window and also the access permission buttons but no 'play' button

    ReplyDelete
  11. it really works :O

    ReplyDelete
  12. chrome - go to http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html and "Always deny..."
    then go to http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04.html and "Always deny.."
    Solved.

    ReplyDelete
  13. It asks for permission to access my camera before it activates. in IE on Windows 7

    ReplyDelete
  14. Oh!, I nice guy appeared when clicking the play button. Ubuntu 13, Chrome 27.

    ReplyDelete
  15. Latest Chrome/MacOS 10.8.4 works, Safari and Firefox do not.

    ReplyDelete
  16. Chrome on Ubuntu 12.04 LTS - worked. Damn.

    ReplyDelete
  17. Play Button appears with the built-in PepperFlash Player, but no image of mine showed. Also Chrome does actually notify at the URL bar, that "USB Web Camera and Microphone" are been used at the moment.

    With external flash player I have to grant permissions, after agreeing I can see the picture, the webcam made.

    Tested with debian testing/sid and Google Chrome 27.0.1453.110.

    ReplyDelete
  18. This doesn't work on Internet Explorer either. IE puts up a warning that the image wants access to the camera.

    Windows should use this as a scroogled commercial.

    ReplyDelete
  19. Chromium 27, Windows. Didn't work.
    Nice try, though :)

    ReplyDelete
  20. Nice babies! where did you find those pictures?

    ReplyDelete
    Replies
    1. online in google, just set the needed size

      Delete
  21. doesn´t work for me (Opera, Firefox, Chromium, Internet Explorer, Konqueror)... ...thats why I decided to use a hardware-switch.

    ReplyDelete
  22. Thankfully if you have plug-ins disabled by default, it doesn't work at all unless you enable them on that page.

    ReplyDelete
  23. I have a MacBook Pro and I used both firefox and safari and none of them activated my camera.. the photos are keep sliding but the play button is not clickable.
    maybe at chrome it will work :P

    ReplyDelete
  24. i think this app make me take more photo from my girlfriend :P

    ReplyDelete
    Replies
    1. sounds like your girlfriend always was called with *.jpg

      Delete
  25. Doesn't work on Samsung Galaxy S2 phone, running GB version, which supports flash, and Dolphin Browser. White empty box appears when clicking Play. :-)

    ReplyDelete
  26. OSX 10.8.4, Chrome 27.0.1453.116
    «http://homakov.github.io/ wants to use your camera and microphone.» http://d.pr/i/VYaI

    ReplyDelete
  27. Confirmed on Windows 7 (7601+SP1) + Chrome 27.0.1453.110 m

    ReplyDelete
  28. Doesn't ask for permission to access my camera on Windows 7 SP1 + Chrome 27.0.1453.116 m.
    Does it mean the problem hasn't been solved?

    ReplyDelete
  29. this.imgagestr = Base64.encode(this.ba);
    flash.net.navigateToURL(new flash.net.URLRequest("data:image/jpeg;base64," + this.imgagestr), "_self");

    how to save image to server :p

    ReplyDelete
  30. I'm a bikini model, so I'm a little concerned. I have my cam disabled in the bios and a piece of thick tape over the can itself. It still shows a picture of me in my bikini!!! Unsafe!!!!

    ReplyDelete
  31. Just go into Device Manager and disable the drivers for the camera device until you need it.

    ReplyDelete
  32. safest thing is not using chrome but chromium

    ReplyDelete
  33. Doesn't work on Chrome. Asks for permission.
    http://i.imgur.com/CfBVEOd.png

    ReplyDelete
  34. I'm on win7 with chrome 27 - it did ask for permission to use mic and cam

    ReplyDelete
  35. After several attempts I got asked by Chrome if I wanted to allow my camera to be used. So I guess this does not work on Windows 7/Chrome.

    ReplyDelete
  36. FYI
    Opera on OsX : secure
    Chrome on Osx : not secure
    Opera on Fedora : not secure
    Chrome on Fedora : not secure
    Firefox on Fedora : secure

    Thanks for sharing @homakov

    ReplyDelete
  37. I clicked every photo...nothing happened. How do we know if our laptop failed? I wish Egor explained what you should expect if your laptop fails. (Win 8, IE 10.0.9200.16660)

    ReplyDelete
  38. Main C:\Doc\uynhi78o90\src;;Main.as run Main/Main void Camera flash.media getCamera cam

    its seems like u save cam pictures

    ReplyDelete