Webcam hijack demo highlights clickjacking threat

Webcam hijack demo highlights clickjacking threat

Summary: [ UPDATE: The details are out. Lots of unresolved clickjacking issues]A security researcher in Israel has released a demo of a "clickjacking" attack, using an JavaScript game to turn every browser into a surveillance zombie.


Clickjacking demos highlight severity of cross-browser threat[ UPDATE: The details are out. Lots of unresolved clickjacking issues]

A security researcher in Israel has released a demo of a "clickjacking" attack, using an JavaScript game to turn every browser into a surveillance zombie.

The release of the demo follows last month's partial disclosure of the cross-platform attack/threat, which affects all the major desktop platforms -- Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

[ SEE: Clickjacking: Scary new cross-browser exploit]

In Guy Aharonovsky's demo game, a Web page is set up to seamlessly hide another page in the background that's actually managing the target's Adobe Flash Player privacy settings manager.

Using a series of clicks bouncing around the rigged page, Aharonovsky is able to silently hijack the user's clicks to modify the Flash privacy settings and take complete control of the installed webcam.

The wet dream of every private eye and peeping tom. Imagine this scenario, you play a short game on the web and by doing that you unknowingly grant someone full access to your webcam and microphone.

If you don’t want to try it or don't have a webcam connected, you can see the attack in action in this YouTube video.

[ SEE: Firefox + NoScript vs Clickjacking ]

Aharonovsky's harmless demo game is a perfect example of how clicks on one Web page can actually apply to clicks on page that's invisible to the end user.  The webcam hijack could have been used, for example, with live streaming sites like UStream or JustinTV to  create a malicious surveillance platform, he explained.

The demo was done in the form of a JavaScript game but Aharonovsky warns that a Flash, Java, SilverLight, DHTML game or application can be used to achieve the same thing.

Some of the clicks are real game clicks other are jacked clicks. Every time the click is needed to be jacked the content simply move behind the iframe using z-index.

I had doubts about publishing this, but, if I could have understand it so are the bad guys, so it’s better to know about it.

Aviv Raff, a security researcher with expertise in browser hacking, has also built a proof-of-concept exploit using a hidden iFrame to hijack clicks to snag Twitter followers.

Raff's demo invisibly overlays a blank page over the Twitter site and sets the"Click Me!" button on the spot where Twitter's "Follow" icon is displayed.   If the target is logged into Twitter, the click on Raff's demo is actually executed on Twitter's site.

The ramifications for this is truly scary and, as Google browser security guru Michal Zalewski explains, difficult to fix.

If you expand the idea behind these clickjacking demos, you can see how this can be exploited to make it easier to launch drive-by malware download using social engineering techniques.

Until the affected vendors can come up with adequate patches/mitigations, Web surfers might want to follow Jeremiah Grossman's advice and move to Firefox + NoScript to get some level of security.

Topics: Browser, Mobility, Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • ZeroDay/Ryan, you rock

    This is the best security blog out there.

    Usually with IT blogs you either get a fast short echo of a release or a delayed lengthy and usually opinionated article. But ZD posts are great technical summaries of disperse information with clear explanations, right away, and in the right length. And always with links for further information.

  • The Zalewski HTTP/HTML proposals

    Look good but it is far in the future for the masses...
  • This will become a real nightmare!!!

    Do not be confused, this is the beginning of the biggest news of the year!
    It's too easy to do and when the script kiddies start to apply it all heck is going to happen.
    Just imagine the SQL injection with this in it polluting valid sites.
  • RE: Webcam hijack demo highlights clickjacking threat

    So many Bells and Whistles its hard to hear the sound of the approaching Tiger these days.
  • Ryan, please add a post how to protect against clickjacking

    Ryan, instead of just telling users to use Firefox + NoScript, please tell users how to protect themselves against this threat if they use other browsers, otherwise this looks like browser evangelism. With Opera, you can add a NoScript like protection (actually, for the security conscious, there is no browser like it because no other browser comes close to it for secuurity configuration) by disabling plugins and iframes. It is not possible to completely disable iframes in IE, therefore there cannot be complete protection, but the threat can be mitigated somewhat by selecting the strongest security level.
  • Time to ditch HTML

    It's too out-dated to keep up with nowadays internet.
    • Just the frames and other things that allow multiple domains on a page

      Actually, there's not much other than frames that makes HTML vulnerable to this. This is mostly a cross site manipulation issue. The bad guy hides his website in a way that remains persistent, and uses something like scripts and plugins to create an invisible, clickable overlay. The best way to get rid of the problem is to get rid of the things that are allowing more than one domain to appear on a page.

      . . . and HTML is far from outdated. It's the bread and butter of any decent web designer. It's the best way to create web pages.
  • yeah, it got figured out quickly.

    We pretty much figured it out in the first article about clickjacking. Invisible iframes, using scripting languages to create invisible overlays, etc.

    And quite frankly, this is nothing new; it has just been ignored for too long. Glad to see somebody finally say "hey, this is really a problem."

    Here's what should happen:

    -Get rid of frames, including iFrames. Beyond ads, they have no practical use.

    -If you want ads, merge them with your page on the server side.

    -Addons and plugins shouldn't be able to break out of the "box" they're in without user permissions.

    -Cross site scripting of any kind across domains should be strictly forbidden. Don't need it, and don't want it. Do all of the cross site stuff server side.

    This problem isn't that hard to fix. It's just that whiners are going to pop up because they've been relying on client side scripts too long and never bothered to learn how to do anything server side.
  • Easy sollution, hard distribution

    Someone getting hijacked by this is really a moron, stupid jack ass.

    The same way with any rogue application that requires clickable agreement for accessing unprotected data/hardware.

    If the horror is not enough you can image all the Internet Explorer javascript extensions that allow windows api calls ... the solution for adobe flash player would be that the confirmation dialog to appear in an operating system window, thus being unaccessible by javascript and only by the user.

    But adobe chose the easy way, thinking probably of crossplatform usage of flash-player where calling native GUI Api could have been a problem, in windows you can simply call win32 api but on other OS you must deal with with each gui framework used (the horror on linux with gtk/qt/kde libs not being installed).

    In any way, having flash player create a native window directly would add serious payload to it, rendering it harder to distribute across platforms.

    This is what happens when people choose the easy way.

    Flash Player 10 is not yet on the market, being only beta, so they can still have an update in time before releasing it.

    People will upgrade because flash designers/developers know the potential in the new features it ads like 3d coordinates and such.
    • "Someone getting hijacked by this...."

      ".... is really a moron...."

      The sad thing is that there are at least as many "morons" online these days as there are users with enough sense NOT to fall for something like that PoC game. Even a few reltively expereienced users may end up in the hole due to slip-ups in judgement or social engineering ploys that sidestep the users' better judgement.

      Also, doesn't seem like an exploit that has a very widespread USEFULNESS, since jacking somebody's webcam will probably only give the 'jacker the pleasure of watching blank stares and listening to the mindless mumbles of a typical user browsing the 'Net...
  • Bravo! Very clever technique. Demonstrate the over-reliance on Flash

    In recent years, Adobe Macromedia Flash became a platform where people develope interactive web applications and stream video. That means just about everyone has Flash viewer installed.

    One of the problems with Flash player is that it runs in the browser, and the performance suffers on older computers such as those not optimized with certain Intel multimedia optimizing instructions such as the Transmeta Crusoe CPU, or those computers with 256MB RAM or less. However, the computer itself is not to blame as compiled video players such as MediaPlayer Classic, PowerDVD can play other video formats such as MPEG2 flawlessly where as even a flash video of much lower quality and frame rate will run slowly in a flash player.

    Even BBC switched away from Windows Media and Real format to serve flash video. This shows the ubiquitous assumed acceptance of Flash.

    Performance aside, the more power flash has, the more wirespread it is, the more vulnerable it will become.

    In addition, too many sites deviated from the concept of good simple web site and incorporate an excessive amount of AJAX implementation. For example, Facebook is slow as a pig now which turns off many users.

    With more functionalities come with more flaws, that's the price of progress. Though bravo to the author of this clever exploit.
  • RE: Webcam hijack demo highlights clickjacking threat

    Solution to prevent such an attack?
  • RE: Webcam hijack demo highlights clickjacking threat

    I'm wondering if all the problems I've been having are because of this. My GF loves to watch movies and TV shows from less than reputable sites.

    Even after reading this she went right back to it. I found her doing it on my notebook a couple of weeks ago.

    I've had problems with clicks not working. I'd click and nothing would happen. Very frustrating at times. I'd watch my cursor go into to pause constantly. Most of the sidebars and some tool bars I'd open with Firefox would close. Since I use roboform this was very frustrating. The all in one tool bar would behave the same way.

    I had deactivated no scripting thinking it might be causing the problem. I just re-installed it and reset it back to the default and forbid Iframes as directed in the above article.

    Right now everything is working just fine. I hope it continues! Too early to tell for sure as things have gone back to normal before but then later the issues re-surfaced.

    Had m gf do the same thing. Bet she doesn't keep it there. ;) I just found one window that closed. I'm afraid the damage is done and it is time to re-install. :(
  • I use OmniWeb

    In this browser, I have the option to disable loading of
    content from third party sites - thus the iframe in this
    page can't load content from anywhere else other than the
    site the page came from.

    This doesn't make me immune to clickjacking, but at least
    I can't have someone invisibly loading up other sites
    "underneath" a page I'm interested in reading.

    Then again, I don't play web games - every one I've seen
    so far just works as a teaser to get you to load some new
    malware or visit some commercial site selling crap that
    isn't worth buying.