Cenzic 232 Patent
Paid Advertising
web application security lab

Flash Camera and Mic Remember Function and XSS

39 more posts left…

Just a quick post as I head into the ramp up to Blackhat where I won’t be writing posts. Jeremiah and I spent a lot of time trying to break the Flash settings manager a few years back but one thing that I never mentioned was the way in which Flash’s settings are very often scoped to the domain rather than the app. Although currently allowing Flash access to camera and microphone isn’t all that common, if it ever did become common using XSS would be a pretty interesting tactic. Once access is allowed and remembered, an XSS included object could theoretically end up with the same privileges.

Clearly XSS is bad in of itself, but once settings are permanently remembered, even on a site that has no other sensitive information on it (a free video-game site for instance) something like this could allow an attacker to do some nasty spying. In general applications should never allow access to camera and microphone permanently by default. Thankfully, I don’t think there are a lot of apps out there that request mic and/or camera access so the attack surface may be small. But if that were to change I’m sure if an attacker were creative they could combine CSS history hacking + hidden iframe + XSS + camera and microphone app to spy on quite a number of people who had selected the “Remember” option.

The nice thing about this attack is if it fails it doesn’t create a modal dialog alerting the user to the fact that they were under attack (one of the many perils of not using modal dialogs). So the moral of the story is even if your app contains no sensitive data, you need to be extremely careful of XSS. Oh, yeah and Flash may want to allow the web sites in question to remove the “Remember” function from their apps in future versions.

7 Responses to “Flash Camera and Mic Remember Function and XSS”

  1. PaPPy Says:

    *Unchecks remember settings on Ustream.tv*

  2. anonymouse Says:

    why do you think flash allowing such an option would achieve anything? If a website cares enough about security, it wouldn’t be that easily vulnerable to XSS (and when it happens would have a quick remediation). In a site that doesn’t care they wouldn’t ever change their behavior - they would want to remember setting (cos its too annoying otherwise).

  3. Sheridan Says:

    Why are you dis-appearing after 39 more posts? Sorry to see such an interesting blog go.

  4. Dan Says:

    chatroulette.com anyone?

  5. Picci Says:

    I hope he’ll just keep writing when he hits zero… i.e. “-3 posts left”,”-4 posts left” :p

  6. RSnake Says:

    @anonymouse - I’m not worried about the sites the care about security. I’m worried about any site that has any flash game or as Dan mentioned, things like chatroulette, and games and so on that typically have no sensitive information associated with them worth protecting. An XSS vuln may seem to be a minor issue to them if they don’t have credit cards or passwords, etc…. As we’ve seen time and time again, sites that care about security still have vulns very regularly. Any site that allows this sort of functionality, may want to allow it temporarily, but may not want to incur the risks associated with permanent acceptance of the microphone and camera access. But if your point was it won’t be used by companies that don’t care about security, you may be right there.

  7. Wornstrom Says:

    A vulnerability that lets people spy on you via webcam isn’t terribly minor. Of course, many webcams have a bright LED alerting you when they’re turned on, so this isn’t as much a threat as it may seem. Microphones may be more interesting, but generally unlikely to pick up anything people would care about.

    (Also, spell-check your title.)