Well we discussed an overview about click-jacking previously. This time on same lines, a researcher has given a PoC about how can clickjacking be used to hack into victim’s audio and video device (webcam). Well this time GuyA.Net’s PoC preys on Adobe’s Flash Player Setting Manager.

He blogged:that “I’ve written a quick and dirty Javascript game that exploit[s] just that, and demonstrate[s] how an attacker can get… hold of the user’s camera and microphone. This can be used, for example, with platforms like ustream, justin and alike, or to stream to a private server to create a malicious surveillance platform”. The exploit essentially turns the browser into a “surveillance zombie,” he added.

Two researchers, Robert Hansen and Jeremiah Grossman were planning to present their research on Clickjacking @ OWASP , New York City but had to postpone their presentation because they figured out that the exploitation of this vulnerability can be worst. Affected Vendors requested them to postpone their disclosure so that they can fix it. Most of the times the vulnerability needs to be fixed by web application but this time browser owners have taken up the task of fixing the vulnerability. Microsoft, Adobe are few of those affected.

Well these attacks are sort of tedious and require precision as compared to other powerful attacks like CSRF, SQLi etc. Attacker needs to know the exact layout of page that victim would possibly be viewing. A small here-and-there can foil the whole attack. These attacks can be done on those pages whose button positions remain static. CSRF token solution will not work here.

Read more »