"A researcher has “hacked” the mysterious clickjacking attack and today posted a demonstration in his blog on how the Web-borne attack works.
Details of the dangerous clickjacking attack have been closely held by
the two researchers who discovered it — Jeremiah Grossman and Robert
“RSnake” Hansen — at the request of Adobe, which wanted more time to
patch its software from the attack, although the attack has to do with
the way browsers and the Web work. (See Clickjacking Defense Will Require Browser Overhaul and Disclosure of Major New Web ‘Clickjacking’ Threat Gets Deferred.)
But a researcher with a blog called “GuyA.Net”spilled the beans today
with a proof-of-concept that controls a user’s Webcam and microphone
once the user clicks on hidden malware on the Web page.
Adobe is expected to release a patch today to protect its
applications from the clickjacking attack. Adobe was not available for
comment at this posting.
GuyA.Net’s PoC preys on Adobe’s Flash Player Setting Manager.
“I’ve written a quick and dirty Javascript game that exploit[s] just
that, and demonstrate[s] how an attacker can get… hold of the user’s
camera and microphone. This can be used, for example, with platforms
like ustream, justin and alike, or to stream to a private server to
create a malicious surveillance platform,” he blogged. The exploit
essentially turns the browser into a “surveillance zombie,” he added.
The attack could be used for corporate espionage or other even
creepier virtual surveillance — think online peeping Toms, industry
experts say."
Read more: http://www.darkreading.com/document.asp?doc_id=165431&WT.svl=news1_1
