You know those people who put tape over their laptop’s webcam to keep digital peeping toms at bay? They’re not crazy.
A new proof of concept is making the rounds today that demonstrates how a hacker can snap pics off your webcam, right through the browser, with no consent required.
Well, technically, you are giving consent. You just wouldn’t know it.
Outlined by security consultant Egor Homakov, the hack brings in a few old tricks to work around Flash’s requirement that a user explicitly grants a website permission before it can access their camera or microphone.
Without going into to much detail, the demo uses a bunch of fancy CSS/HTML trickery to render Flash’s permission prompt in a transparent layer, placing the now invisible “Allow” button directly above something the user is likely to click — like, say, the “Play” button on a video.
The basic technique, dubbed Clickjacking, is nothing new. I’d actually generally avoid writing about things like this, if it were new, to keep the word from spreading before the companies got a chance to fix it — but these techniques are already very well known in the hacking world. In fact, a post on Adobe’s security blog suggests that they fixed the bug (or a similar one) way back in 2011. “No user action or Flash Player product update are required,” it reads.
And yet… it still works. We tested the proof of concept on the latest build of Chrome for Mac, and it pulled from our webcam without issue or any visible prompt. Others have found the exploit to work on IE10, but it seems to be patched on the most recent releases of Safari and Firefox. When it works, the only evidence that the camera was ever accessed is a near instant and oh-so-easy-to-miss blink of the LED indicator.
[UPDATE: Google has acknowledged and fixed the bug in Chrome with version 27.0.1453.116, released six days after our initial report on 6/13]
You can test the proof of concept yourself here (Heads Up: If you consider girls in bikinis to be NSFW, that link is NSFW. Also, it’ll take a picture of you, though the author claims he’s not storing them — but clarifies that someone could, if they wanted).
If your browser doesn’t visibly render the permission box and clicking the play button snaps a picture of you, your browser fails the test. If it shows the permission box or blocks the click, you’re safe (from this specific exploit, at least).
So, why is this a big deal? Imagine you’re perusing some of the Internet’s more, erm, intimate websites. You’ve fallen down the rabbit hole, finding yourself 3 or 4 sites away from the trusted one you started at. You click “Play” on something that suits your particular fancy and.. surprise! The LED on your webcam flicks on, and two seconds later you’re looking at a freshly snapped picture of yourself on screen, hands …wherever they might be.
Fortunately, getting a solid layer of protection against such exploits moving forward is pretty straightforward. For one, you can tape up that webcam — it’s a bit tinfoil hat, sure, but it’s better than having a photo of your bad bits blasted out to the Internet on some shady-ass Tumblr. Second, consider using Firefox* with something like NoScript, disabling it only for trusted sites.
Oh, and yeah, insert the obligatory NSA/PRISM joke here.
[*NoScript-esque extensions exist for Chrome, but I’ve yet to find one that is as dependable or user-friendly]
Creepy eye picture above is courtesy of Robert Montalvo, used under Creative Commons