The concept is basic clickjacking. It was raised by habrahabr a week ago. “In this post,” he blogged, “I tried to explain the essence of a new attack (attack itself is not new, but let us call it that) bug peculiar to OS Windows 7,8, Mac OS X. We also need Google Chrome, well, Flash. Topic will address the idea of a total surveillance, especially popular in recent days?” (Google translation from Russian).
That ‘essence’ involves superimposing a Flash image over the webcam control function, but with a transparent box in the Flash. The user sees the Flash image, but not the webcam dialog. He thinks he is pressing OK on the superimposed image, when really he is activating the webcam. The trick does not work with Firefox and Opera, which makes the Flash image opaque and shows the webcam dialog beneath it. “But IE and Chrome 27.0.1453.110 10 well treated transparency and allowed to place himself on top of the text and / or image,” notes habrahabr.
A few days later, Egor Homakov took the ‘essence’ and produced an exploit. “I made a PoC to demonstrate the severity,” he announced. “This works precisely like regular clickjacking - you click on a transparent flash object, it allows access to Camera/Audio channel. Voila, attacker sees and hears you.” The exploit is not yet stable, he warns, but was tested on Mac and Chrome. It places the suggestion of a possibly risque video over the webcam permissions dialog, with the transparent Flash box directly over the real target.
Adobe claims the vulnerability is only in the Chrome implementation of Flash and is not present in Internet Explorer. “This vulnerability affects users on Flash Player installed with Google Chrome," Adobe spokeswoman Heather Edell told the Register in an email. "Google is working to resolve the issue and plans to provide a fix this week,” she added. Google recently amended the disclosure timeline for its own security engineers from 60 days to 7 days for vulnerabilities with active exploits, suggesting that this is long enough for vendors to fix faults. It has thus obliged itself to fulfil Edell’s prediction and provide a fix this week.
Meanwhile, users can watch for unexplained flashes from their webcam LED; but that might just be too late.