ClickJacking

clickjack(dot)net

genius

@flatronL1917 antivirus don't do shit against these types of attacks. Because it's not a virus, it's your browser. An antivirus can't defend you from yourself. And remember you are the one doing the clicks.

Best is: if you don't trust a site, don't use it. And always prefer to type the url of your trusted sites than to click on a link. Even if that link is on google.

*Sigh* Another malicious programmer who found an awesome "hack" and got his dream of recording people. >.< Good thing it's fixed. :)

genius

@flatronL1917 OR.... you could do the obvious thing and cover the webcam with tape.

Better yet, use an external webcam that you can unplug when you're not using it.

lolol *click* JACKED ... *click* JACKED

So many people musta fallen for this.

Laptops are lame though.

i dont get this at all

Clickjacking involves getting people to click on things that they don't know they're clicking on. In this case, some of those jumping buttons happened to be in the same place as dialog controls that were on top but invisible -- so the user changed an option and allowed his camera to be used by Flash (a security vulnerability).

CRAP

stop spaming

How the hell is this not completely illegal? Forget spyware.. it doesn't get ANY more intrusive than this. I've got Adblock and thought that pretty much had me covered. I've toyed with Noscript, but was concerned about it blocking legitimate scripts. It's going on my computers NOW. There is NO justification at all for spying on people in their own homes. Thanks for the video.. very useful in highlighting a completely Orwellian tactic which should be outlawed.

Lol, your over exaderating. This rarley ever happens. And, it is possible to turn your webcam away when not using it, or noticing the light come on. I don't run an AntiVirus of any sort or an script blocker, and I have never been "click Jacked" or even gotten a virus. You just need to be carfull

they crippled the real demo for what reason?

shame... it was a news article too.

And then God said... "Let there be NoScript!" And there was NoScript, and God saw it, and it was good. And then God said "Let there be updates!" And there were updates, and God saw it, and it was better!

well spoken

noscript is not just a "disable javascript" tool. It protects against XSS, ClickJacking, etc.

挺好玩的，也挺危险的 － －

como ase uno eso

¿?

enceñenme por fabor.

Ahh I was wondering how that works, this clears it up a lot.

。。。。

糟糕

hah

You understand?

OH SHI--

for the last 6 years i have been unpluggin my webcam cause of this exact reason its so easy to watch people and them not know it i even bought a camera, that turns on two lights very bright and can be seen even if not looking at the webcam just so i know am not being watched

my camera light changes colour when it turns on and so do most others

but how many people out there would possibly notice the light on or think someone was watching them

There is one advantage. the 40 year old pervert gets to watch you change.. doesn't that sound fun?

just make sure that whenever your not on webcam with someone, your camera is turned to face the wall or something :)

A scary thought to think that it can be done :/

wtf i dont get this

The code he wrote pretends you're playing a game. As a side effect of where you're clicking on the screen (there is an iframe hidden so that you can't see it) he tricks you in to turning your camera on. The game tricks you in to turning your own camera on because you just click wherever it says to.

what is a camera click jack?

sign me up

thanx! this is my last hope to get my webcam started!

lol

What'll happen if I click my heels 3 times?

only problem is who would play a pointless gay game like that.. no time limit it doesnt speed up u can clearly tell its a scam.

But what if it's part of a "calibration" scheme? Don't underestimate people's gullibility; how do you think all of those Kenyans got rich.

Bobo304, it's the Nigerians with the scams not the Kenyans.

It's just a POC, there are plenty of ways to make this more sneaky.

or a shitty web game

Obviously, it won't be as simple as this.

Sadly it is... This problem security problem also exist in various other applications like Jave etc and has not yet been fixed...

Shit will get caught having a wank if im not careful..

lmao

HARHARHARHAR!

I hear that

Goes to show you how terrible HTML is as the backbone of an application framework. I think those insisting building future apps on top of it can keep their mouth shut for a while.

"Goes to show you how terrible HTML is as the backbone of an application framework."

Well, it's true HTML is a Language for Marking up HyperText, and not ideal for serving applications. But the real problem is the trend toward hosting logic on the server and telling the user "run my code".

Even without these major security issues, browsers cede too much control to application developers. Desktop clients have way fewer problems in this regard, but writing them is Hard for neophytes.

The problem has nothing to do with HTML, and everything to do with the security model for trusting JavaScript that originates from a different source than the server hosting the webpage (which is the case for pretty much every advert on the web).

A Same Origin Policy would help here, but it would also cripple a large amount of web functionality (stats tracking tools, adverts, embeddable content etc.).

Since they're both the same company.

The demo website says: "Update: This demo isn't functional anymore, you can still watch the video [link to this YouTube Page]."

it doesn't work right on Mac OS X 10.5

I get redirected too, to macromedia's site before I can click

it doesn't work right on suse 11

I get redirected to macromedia's site before I can click