October 09, 2008

Clickjacking topic.. doesn't help FMS devs

This is news to me: Yahoo on Clickjacking. In there they talk about an Adobe security blog.. news to me too, check that out here if you've never seen it before.

Either way, clickjacking as an issue certainly doesn't help us as FMS devs that are almost always creating applications that require the cam and mic. I wonder how Adobe is going to "fix" this issue. Honestly.. what user clicks the word "allow" when being asked to use their cam or mic and not understand that their mic and/or cam is about to be used? I do realize though that it's easy to grab either and hide that you have them from the user.

Here's the "workaround" for the problem just in case you wanted to know. I don't consider this a fix for anything unfortunately. It just makes it more confusing for those that don't understand why their cam/mic isn't working when they really need it to work in a flash app.

**Update**

Here's the site that will tell you about the actual way it's being done. Interesting way of doing things...

Posted by Graeme at October 9, 2008 01:16 PM
 



Comments

I'm only theorising, but presumably the clickjacking technique is making a flash movie 1% opaque and floating it around the page with javascript such that a malicious movie with the camera-access-granting button is always under the mouse pointer. So the first click the user makes (that they think is clicking something else) will open the camera stream.

I'd hope that the Adobe fix is to popup a new window with settings in rather than showing the settings in the swf context.

Posted by: Stephen at October 9, 2008 09:57 PM

If that's the case then Adobe's workaround won't work at all. Just because you set the settings to always deny doesn't mean that a developer can't bring that settings panel back up. The only case that Adobe's workaround works in is if somebody has allowed a particular site to always have access to the cam/mic.

I agree with you, the flash player needs access to the browser itself to bring up it's own little window.

Posted by: Graeme at October 10, 2008 02:15 AM

The reason it doesn't seem to make sense is that it's being spun as a Flash flaw.

Bottom line: Browsers can't assure click integrity... slide a DHTML panel atop something, and people think they're clicking an innocent link when they're actually clicking an evil link. Nothing really new. But combine it with Web2.0's promiscuous use of third-party content, and you've got a new problem.

What's worse, the commercial headlines are all copying each other on the Flash angle, solely because Flash can do things (like webcams and mics) which browsers cannot. It's a browser flaw which hides an actual click on the Player's permission dialogs.

It's one thing to bash Flash. But if revenue-grabbing news services focus on Flash, they'll be missing the real problem. When you think about it, there's a secondary security vulnerability in the news services themselves: instead of "look here click there", it's "look here think there". They're off-target, misleading people, causing damage of their own.

More at weblogs.macromedia.com/jd. If ya'll could help spread the word, I'd really appreciate it, thanks.

jd/adobe

Posted by: John Dowdell at October 10, 2008 10:42 AM

@Graeme: The "workaround" sets the settings panel to never appear, even when programmatically triggered by the developer.
See the text in point 4 on the Adobe page, and the text under the "always deny" button.

Posted by: Stephen at October 10, 2008 06:49 PM

ahh.. yes of course. You are correct and I stand corrected. When the confirm checkbox is checked it will never come up again for all domains when done from the Adobe site. Thanks for pointing that out to me, I should have just read it all properly in the first place.

Posted by: Graeme at October 11, 2008 03:17 AM