10. January 2012

Adobe Flash Webcam clickjacking - The security fix that wasn't.

Update : Adobe added me to their Security Acknowledgments page, following the fix.

Adobe and clickjacking, sounds familiar? Recently I found a vulnerability in Adobe Flash that allows any website to silently spy on its visitor’s webcam and microphone feeds with absolutely zero permission. And wait, heres the most interesting part, this issue has been there for the past 4 years and am pretty sure that this must have been exploited in the wild until recently. The flaw is ironically in one of Adobe’s security fix, following a clickjacking vulnerability in their Flash Settings Manager page.

For security researchers:

TL;DR - Its all about frame buster busting with the 204 - No Content trick.

Others read more.

“Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.” — Wikipedia

“The Adobe Flash Player Settings panels let you make decisions about privacy, data storage on your computer, security, notifications of updates, and use of the camera and microphone installed on your computer.” — Adobe website

A little bit of history:

In 2008 a security researcher Guy Aharonovsky discovered a way to maliciously spy web cameras using Clickjacking on the Adobe Flash Settings panel. This video demonstrates the attack using a small game, which has an Iframed Flash Settings page, well hidden using CSS properties. And Adobe followed up with their fix, pretty fast. As the researcher quotes,

“Adobe has fixed this issue by framebusting the Settings Manager pages. Now, 99.9% of the users are protected from this specific exploit. Congrats on the fast response.”

A pretty sad fix I should say, which I’ll explain soon. Then in 2011, someone named Feross, found a new way to clickjack the Flash settings panel. This attack works by Iframing the settings SWF file instead of the whole Settings page, as he quotes in his blog,

“Instead of iframing the whole settings page (which contains the framebusting code), I just iframe the settings SWF file. This let me bypass the framebusting JavaScript code, since we don’t load the whole page — just the remote .SWF file. I was really surprised to find out that this actually works!”

Adobe fixed the clickjacking issue on the SWF file some 3 months back.

Bypassing the Frame Busting code or why that fix from Adobe in 2008 wasn’t a secure fix:

There are many ways in which a Frame Buster can be Busted. Yeah! There are Frame-Buster busters too. The sad truth is that many websites are still under the impression that this small junk of code is a frame buster and that it can keep their clickjacking miseries at bay,

 if (top!=self){
        top.location.href=self.location.href;
    }

Programmers usually bust Iframes by using JavaScript’s power with the above code. Security researchers and attackers then go beyond that and show the true power of JavaScript by using something like the one below,

 var kill = 0;
   window.onbeforeunload = function() { kill++; }
   setInterval(function() {
     if (kill > 0) {
       kill -= 2;
       // A Web Server that serves a 204 - No Content
       window.top.location = "http://test.skepticfx.com/204.php"; 
     }
   }, 1)

On modern browsers a 204 -No Content HTTP response from the server will do nothing, meaning it will leave the current page intact. Thus it will override the previous frame busting attempt, rendering it futile. This technique has been there for a while, but its really bad most of them are not aware of it.

How to fix clickjacking issues once and for all:

The answer lies in a Custom HTTP Response Header called X-Frame-Options. This response can be used to indicate whether or not the browser should allow the response to be allowed in a Frame or not. Most of the top websites are fast adopting this header and I feel this should be there by default for all the server configurations, unless people want to mash up stuff.

Apache servers can be made to send X-Frame-Options header for all pages, by using the following line in the site’s configuration.

Header always append X-Frame-Options DENY

And heres the one for nginx,

add_header X-Frame-Options DENY;

Adobe did respond pretty fast and smart to this one:

  • Vulnerability reported: 28-11-2011, Proof submitted with a Private POC Code to exploit Flash Settings.
  • First Response from Adobe: 29-11-2011, Suggested X-Frame-Options for the fix.
  • Fix is ready and is being tested: 15-12-2011.
  • Fix deployed: 20-12-2011.