Underscoring the severity of a new class of vulnerability known as clickjacking, a blogger has created a proof-of-concept game that uses a PC's video cam and microphone to secretly spy on the player.
The demo, which is available here, appears to be a simple game that tests how quickly a user can click on a series of moving targets. Behind the scenes, it combines a generic clickjacking attack with weaknesses in Adobe's Flash technology to record the player using the PC's video camera and microphone.
The proof of concept is a powerful demonstration of the spooky implications behind clickjacking. The vulnerability allows malicious webmasters to control the links visitors click on. Once lured to a booby-trapped page, a user may think he's clicking on a link that leads to Google - when in fact it takes him to a money transfer page, a banner ad that's part of a click-fraud scheme, or any other destination the attacker chooses.
It plagues every major browser, Adobe Flash, and many other browsing technologies, according to Jeremiah Grossman and Robert "RSnake" Hansen, the researchers who first sounded the clickjacking alarm. The pair was scheduled to detail the threat two weeks ago at at OWASP's AppSec 2008 Conference in New York, but canceled the talk at the request of Adobe.
For more information, see here.