Three months ago, the annual CanSecWest conference was held, during which Google offered prizes to hackers discovering bugs in the Chrome browser. While the conference attendees were offered prizes worth up to a million dollars, there was a bug, that has been existed for more than two years and no one bothered to fix: Hackers can take pictures using the users’ webcam, directly through the browser and without any consent on their part. Smile, do not smile, you are photographed.
Recently, the bug was flooded again by experts, demonstrating tricks using HTML and CSS that clear the Flash layer that displays a dialog box that asks the user to approve or reject the request of the Web site to use the camera, so instead of the ‘Allow’ button it displays a ‘Play’ button. Once the user clicks on the Play, the hacker can use the user’s camera.
This technique, called ‘Clickjacking’ supposedly fixed by Adobe “without updating the product or other action required by the user”, but it seems that in Chrome browser version 27.0.1453.110, the latest stable version available for download to all users, the bug still exists and works tirelessly. To illustrate, the best example that you can think of using this bug is of course porn site featuring a series of alternating erotic photos or video being played seemingly inviting the user to click a button to play, when actually it is the authority to use the camera and the user may be caught in most awkward situations.
When entering the site you can see changing images of girls in bikinis, and once clicking on the Play button you actually authorize the use of your camera without permission. The site takes a photograph and show the picture on the site. While this is only a proof-of-concept site, Hackers on the other hand would be more than happy to store the user’s images or video and ask for ransom in order to remove them from the server.
How could you avoid Clickjacking sites?
Google published a dedicated online support page, and recommended to following steps to prevent Web sites from access your camera without permission. Unfortunately, we tried the steps on Chrome version 27 and above, but the bug still exists.
As mentioned, we found this solution lacking, thus in order to protect against the bug, there are other things you could do:
The first is of course to switch to another browser, and run plugin such as ‘NoScript’, with special permissions only for sites you trust.
Second is to update the Chrome version at your disposal to one of the Nightly versions or the Canary, which contain the best of recent features introduced by the Chrome development team and see where the bug is fixed, but keep in mind that these are completely Experimental versions and could very well be containing browser bugs or crashes occasionally.
Finally, the simplest solution is to cover your webcam and physically block the lens.