Please create an account to participate in the Slashdot moderation system


Forgot your password?

Submission Flash Player as a spy system->

suraj.sun writes: If a forged certificate is accepted when accessing the Flash Player's Settings Manager, which is available exclusively online, attackers can potentially manipulate the player's website privacy settings. This allows a web page to access a computer's web cams and microphones and remotely turn the computer into a covert listening device or surveillance camera.

At the "Meta Rhein Main Chaos Days 111b" (German language link), Fraunhofer SIT employee Alexander Klink presentedPDF a scenario in which he used a man-in-the-middle attack (MiTM) to intercept the communication with Adobe's Settings Manager. The Settings Manager itself is a simple Flash applet, and the Adobe pages load it into the browser as an SWF file via HTTPS – a fixed link to it is encoded into the browser.

However, the MiTM attack allows attackers to inject a specially crafted applet which, to put it simply, manipulates the Flash cookies (Local Shared Objects, LSOs) on the victim's computer in such a way that the computer's web cam and microphone become accessible to arbitrary domains – by default, no domain has access to these components. This, in turn, allows images and audio to be transmitted to the attacker's server via RTMP streaming.


Link to Original Source
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Flash Player as a spy system

Comments Filter:

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson