Underscoring the severity of a new class of vulnerability known as clickjacking, a blogger has created a proof-of-concept game that uses a PC"s video cam and microphone to secretly spy on the player. The demo, which is available here, appears to be a simple game that tests how quickly a user can click on a series of moving targets. Behind the scenes, it combines a generic clickjacking attack with weaknesses in Adobe"s Flash technology to record the player using the PC"s video camera and microphone.
The proof of concept is a powerful demonstration of the spooky implications behind clickjacking. The vulnerability allows malicious webmasters to control the links visitors click on. Once lured to a booby-trapped page, a user may think he"s clicking on a link that leads to Google - when in fact it takes him to a money transfer page, a banner ad that"s part of a click-fraud scheme, or any other destination the attacker chooses.