All that’s required is to visit a malicious website and to click on a few buttons on that page. Without warning, the visitor’s camera and microphone will be activated and the video and audio intercepted. On Wednesday Adobe said they were planning on fixing the vulnerability, which is caused by flaws in the Flash Player Settings Manager. The panel, which is used to designate which sites may access feeds from a user’s camera and mic, is delivered in the SWF format used by Flash. A computer science student at Stanford University, Feross Aboukhadijeh, discovered he could embed the SWF file as an invisible iframe and superimpose misleading graphics on top that tricked visitors into making changes to the underlying privacy settings.
Settings Manager is actually hosted on Adobe’s servers and therefore a fix should be able to be implemented without having to release an update to users machines. A spokesperson for Adobe has said an update should be in place by he end of he week.
The Stanford student said so far only Mac’s running Safari or Firefox were vulnerable, however he indicated that further research may lead to this attack becoming more universal.