A security flaw in Adobe Flash thought to be repaired in October of 2011 has resurfaced again with a new proof-of-concept hack that can grab video and audio from a user’s computer without getting user authentication. Employing a transparent Flash object on a page to capture a user’s click, the exploit tricks a user into clicking to activate the object. The object can then take control of the camera and microphone regardless of the permissions set by the user.
The exploit was demonstrated by developer Egor Homakov and was based on code by Russian security researcher Oleg Filippov. (Note that the demonstration uses images of scantily-claid women and may not be considered safe for work.)
“This is not a stable exploit (tested on Mac and Chrome. I do use Mac and Chrome so this is a big deal anyway),” Homakov wrote. "Your photo can be saved on our servers but we don't do this in the PoC. (Well, we had an idea to charge $1 for deleting a photo but it would not be fun for you). Donations are welcome though.”