This post in based on an interesting trick by @typicalrabbit.
UPD: This has been known since 2011, but not fixed yet. Why?! I made a PoC to demonstrate the severity.
TL;DR this works precisely like regular clickjacking - you click on a transparent flash object, it allows access to Camera/Audio channel. Voila, attacker sees and hears you.
This is not a stable exploit (tested on Mac and Chrome. I do use Mac and Chrome so this is a big deal anyway).
Your photo can be saved on our servers but we don't do this in the PoC. (Well, we had an idea to charge $1 for deleting a photo but it would not be fun for you). Donations are welcome though.
Proof of Concept (not safe for work a bit)
Wait a minute! Hire us for security stuff.
Hahaha! This is why I tape over my webcam when i am not using it ;)ReplyDelete
hahaha you r not aloneDelete
seems we are alot out thereDelete
Use an app called camera monitor. It is awesome, and you don't need tape.Delete
The proof of concept did not work on my work PC.Delete
lol camjamr lolDelete
My browser blocks this. Its a more secure version of chrome-script caleed comodo dragon but I'm gunna get some tape anyway.Delete
opera next - doesn't workReplyDelete
latest chrome - works
So I tried this on safari for iPad . Nothing plays when I click the play button. Safe / fail?ReplyDelete
Fail, because iOS has no flash.Delete
wait, isn't that a Win?Delete
If you're using a Mac, that's a fail to begin with.Delete
jajaja, good one.Delete
MacPro user here: Wouldn't the Cam light go on if you were 'clickjacked'? Perhaps any user may notice this while on their laptop.ReplyDelete
And they probably will notice, but it is already too late.Delete
Tested on my MBP. Yes the light goes on, but it is momentary.Delete
It doesn't go on if the hacker knows what he is doing. The chrome exploit isn't the only way to access your webcam. Check out www.camjamr.comDelete
I have Mac and Firefox, exploit is not workong. Chrome however, works... Chrome has a build in Flash player. I think that is the problem.ReplyDelete
I never use a webcam, so I always turn it off completely trough the BIOS; problem solved. Ah, and don't forget, we need to get rid of flash :-)ReplyDelete
wow great, why don't you also disconnect your mouse so you wont accidentally click on something, and throw your keyboard away so no one can steel your password.. duhh!Delete
Tried on my Dell Inspiron that I have webcam disabled and taped over just in case. It failed. I tried on my Samsung GS2 and it failed as well. Disable services when not in use.ReplyDelete
I am using Chrome Canary for Mac. It asks me for permission :-P The normal Chrome does not ;-)ReplyDelete
doesnt work, i'm safe :) chromium, linux. i see a overlay window and also the access permission buttons but no 'play' buttonReplyDelete
it really works :OReplyDelete
chrome - go to http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html and "Always deny..."ReplyDelete
then go to http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04.html and "Always deny.."
It asks for permission to access my camera before it activates. in IE on Windows 7ReplyDelete
Oh!, I nice guy appeared when clicking the play button. Ubuntu 13, Chrome 27.ReplyDelete
Latest Chrome/MacOS 10.8.4 works, Safari and Firefox do not.ReplyDelete
Chrome on Ubuntu 12.04 LTS - worked. Damn.ReplyDelete
Play Button appears with the built-in PepperFlash Player, but no image of mine showed. Also Chrome does actually notify at the URL bar, that "USB Web Camera and Microphone" are been used at the moment.ReplyDelete
With external flash player I have to grant permissions, after agreeing I can see the picture, the webcam made.
Tested with debian testing/sid and Google Chrome 27.0.1453.110.
This doesn't work on Internet Explorer either. IE puts up a warning that the image wants access to the camera.ReplyDelete
Windows should use this as a scroogled commercial.
Chromium 27, Windows. Didn't work.ReplyDelete
Nice try, though :)
Nice babies! where did you find those pictures?ReplyDelete
online in google, just set the needed sizeDelete
doesn´t work for me (Opera, Firefox, Chromium, Internet Explorer, Konqueror)... ...thats why I decided to use a hardware-switch.ReplyDelete
Thankfully if you have plug-ins disabled by default, it doesn't work at all unless you enable them on that page.ReplyDelete
I have a MacBook Pro and I used both firefox and safari and none of them activated my camera.. the photos are keep sliding but the play button is not clickable.ReplyDelete
maybe at chrome it will work :P
i think this app make me take more photo from my girlfriend :PReplyDelete
sounds like your girlfriend always was called with *.jpgDelete
Doesn't work on Samsung Galaxy S2 phone, running GB version, which supports flash, and Dolphin Browser. White empty box appears when clicking Play. :-)ReplyDelete
OSX 10.8.4, Chrome 27.0.1453.116ReplyDelete
«http://homakov.github.io/ wants to use your camera and microphone.» http://d.pr/i/VYaI
Confirmed on Windows 7 (7601+SP1) + Chrome 27.0.1453.110 mReplyDelete
Doesn't ask for permission to access my camera on Windows 7 SP1 + Chrome 27.0.1453.116 m.ReplyDelete
Does it mean the problem hasn't been solved?
this.imgagestr = Base64.encode(this.ba);ReplyDelete
flash.net.navigateToURL(new flash.net.URLRequest("data:image/jpeg;base64," + this.imgagestr), "_self");
how to save image to server :p
I'm a bikini model, so I'm a little concerned. I have my cam disabled in the bios and a piece of thick tape over the can itself. It still shows a picture of me in my bikini!!! Unsafe!!!!ReplyDelete
Just go into Device Manager and disable the drivers for the camera device until you need it.ReplyDelete
safest thing is not using chrome but chromiumReplyDelete
Doesn't work on Chrome. Asks for permission.ReplyDelete
I'm on win7 with chrome 27 - it did ask for permission to use mic and camReplyDelete
After several attempts I got asked by Chrome if I wanted to allow my camera to be used. So I guess this does not work on Windows 7/Chrome.ReplyDelete
Opera on OsX : secure
Chrome on Osx : not secure
Opera on Fedora : not secure
Chrome on Fedora : not secure
Firefox on Fedora : secure
Thanks for sharing @homakov
I clicked every photo...nothing happened. How do we know if our laptop failed? I wish Egor explained what you should expect if your laptop fails. (Win 8, IE 10.0.9200.16660)ReplyDelete
it's fixed by now in chromeDelete
Main C:\Doc\uynhi78o90\src;;Main.as run Main/Main void Camera flash.media getCamera camReplyDelete
its seems like u save cam pictures
It does not do anything when I click on the play button. BTW does it work if I have the webcam disabled?ReplyDelete
How do I know if it's working or not????ReplyDelete
it's fixed alreadyDelete