Google has released on June 18 2013 Chrome version 27.0.1453.116 for Windows, Macintosh and Chrome Frame platforms that addresses a huge vulnerability issue with Flash Player.
This issue is a specific type of clickjacking now known as camjacking, and it basically tricks users into pressing the “Allow” button in the Flash Player Settings window.
This issue has been fixed by Adobe since October 2011, but somehow it could still be leveraged in Chrome to hijack web-cams and microphones.
A proof-of-concept (not safe for work) (Chrome only) was developed by security researcher Egor Homakov @homakov to explain this exploit. This issue was first reported by @typicalrabbit in a blog post on http://habrahabr.ru of which the translated version can be found here.
The proof shows a slide-show of pictures with girls, and right in the middle of it, there’s a play button. If the play button is pressed, the user is actually allowing access to his/her web-cam.
This is done by placing the Flash Player Settings window in an invisible layer with the “Allow” button behind the play button that is shown. And just like that cyber-criminals will have access to your cam and microphone without you even knowing.
Chrome introduced an additional prompt for access to web-cam and microphone. This notification is built in the browser itself, so even if the Flash Player Settings window is hidden like in the example explained above, the Chrome notification still triggers. Below you can see the prompt asking for permission. Until this is also approved no website will be allowed to have access to a person’s web-cam.
Once allowed a setting menu can be accessed by clicking that can be found in the top right corner next to the Chrome menu button. When clicked the following window will be shown, that allows you to manage your camera and microphone.
These privacy options can also be accessed via the Chrome settings like so:
- Click the Chrome menu button on the browser toolbar.
- Select Settings.
- Click Show advanced settings.
- In the “Privacy” section, click Content settings.
- In the “Media” section:
- Ask me when a site requires access to my camera and microphone: Select this option if you want Chrome to alert you whenever a site requests access to your camera and microphone.
- Do not allow sites to access my camera and microphone: Select this option to automatically deny any site requests to access your camera and microphone.
- Click Manage exceptions to remove previously-granted permissions for specific sites.
- In the “Media” section:
The vulnerability flaw is now properly fixed, and your web-cam is now under your full control.