Flash Player as a spy system

suraj.sun writes: If a forged certificate is accepted when accessing the Flash Player's Settings Manager, which is available exclusively online, attackers can potentially manipulate the player's website privacy settings. This allows a web page to access a computer's web cams and microphones and remotely turn the computer into a covert listening device or surveillance camera.

At the "Meta Rhein Main Chaos Days 111b" (German language link), Fraunhofer SIT employee Alexander Klink presentedPDF a scenario in which he used a man-in-the-middle attack (MiTM) to intercept the communication with Adobe's Settings Manager. The Settings Manager itself is a simple Flash applet, and the Adobe pages load it into the browser as an SWF file via HTTPS – a fixed link to it is encoded into the browser.

However, the MiTM attack allows attackers to inject a specially crafted applet which, to put it simply, manipulates the Flash cookies (Local Shared Objects, LSOs) on the victim's computer in such a way that the computer's web cam and microphone become accessible to arbitrary domains – by default, no domain has access to these components. This, in turn, allows images and audio to be transmitted to the attacker's server via RTMP streaming.

H-online: http://www.h-online.com/security/news/item/Flash-Player-as-a-spy-system-1073161.html