If you're reading this on a Mac, the tiny webcam at the top of your computer could very well be watching your every move.
The problem lies in an Adobe Flash Player vulnerability that an attacker can exploit to turn on the webcams and microphones of anyone who visits a specially rigged site and spy on them without their knowledge, according to Stanford University computer science student Feross Aboukhadijeh, who discovered the bug and tested it in a proof-of-concept hack.
On his blog, Aboukhadijeh explained how he inserted an iframe, a line of Web page code that loads data from another site, over Flash Player's Website Privacy Settings panel, the part of Adobe's program used to designate which sites can access a user's camera and microphone. The panel, he discovered, is in an SWF (Shockwave Flash) format, and by loading the rigged SWF file directly into an iframe, he was able to bypass Adobe's security measures.
"I've seen a bunch of clickjacking attacks in the wild, but I've never seen any attacks where the attacker iframes a SWF file from a remote domain to clickjack it — let alone a .SWF file as important as one that controls access to your webcam and mic!" Aboukhadijeh wrote.
Aboukhadijeh notified Adobe, and Adobe said it is working on a fix for the bug that should be ready by the end of the week. Aboukhadijeh said that he disclosed the dangerous Flash vulnerability to Adobe "a few weeks ago," but never received a response. "I think it's worth sharing it with the world now, so that Adobe pays attention and fixes it more quickly," he said.