Webcam hijack demo highlights clickjacking threat

Clickjacking demos highlight severity of cross-browser threat[ UPDATE: The details are out. Lots of unresolved clickjacking issues]

A security researcher in Israel has released a demo of a “clickjacking” attack, using an JavaScript game to turn every browser into a surveillance zombie.

The release of the demo follows last month’s partial disclosure of the cross-platform attack/threat, which affects all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

[ SEE: Clickjacking: Scary new cross-browser exploit]

In Guy Aharonovsky’s demo game, a Web page is set up to seamlessly hide another page in the background that’s actually managing the target’s Adobe Flash Player privacy settings manager.

Using a series of clicks bouncing around the rigged page, Aharonovsky is able to silently hijack the user’s clicks to modify the Flash privacy settings and take complete control of the installed webcam.

The wet dream of every private eye and peeping tom. Imagine this scenario, you play a short game on the web and by doing that you unknowingly grant someone full access to your webcam and microphone.

If you don’t want to try it or don’t have a webcam connected, you can see the attack in action in this YouTube video.

[ SEE: Firefox + NoScript vs Clickjacking ]

Aharonovsky’s harmless demo game is a perfect example of how clicks on one Web page can actually apply to clicks on page that’s invisible to the end user. The webcam hijack could have been used, for example, with live streaming sites like UStream or JustinTV to create a malicious surveillance platform, he explained.

The demo was done in the form of a JavaScript game but Aharonovsky warns that a Flash, Java, SilverLight, DHTML game or application can be used to achieve the same thing.

Some of the clicks are real game clicks other are jacked clicks. Every time the click is needed to be jacked the content simply move behind the iframe using z-index.

I had doubts about publishing this, but, if I could have understand it so are the bad guys, so it’s better to know about it.

Aviv Raff, a security researcher with expertise in browser hacking, has also built a proof-of-concept exploit using a hidden iFrame to hijack clicks to snag Twitter followers.

Raff’s demo invisibly overlays a blank page over the Twitter site and sets the”Click Me!” button on the spot where Twitter’s “Follow” icon is displayed. If the target is logged into Twitter, the click on Raff’s demo is actually executed on Twitter’s site.

The ramifications for this is truly scary and, as Google browser security guru Michal Zalewski explains, difficult to fix.

If you expand the idea behind these clickjacking demos, you can see how this can be exploited to make it easier to launch drive-by malware download using social engineering techniques.

Until the affected vendors can come up with adequate patches/mitigations, Web surfers might want to follow Jeremiah Grossman’s advice and move to Firefox + NoScript to get some level of security.

[Source: zdnet]