A security flaw in Adobe Flash thought to be repaired in October of 2011 has resurfaced again with a new proof-of-concept hack that can grab video and audio from a user’s computer without getting user authentication. Employing a transparent Flash object on a page to capture a user’s click, the exploit tricks a user into clicking to activate the object. The object can then take control of the camera and microphone regardless of the permissions set by the user.

The exploit was demonstrated by developer Egor Homakov and was based on code by Russian security researcher Oleg Filippov. (Note that the demonstration uses images of scantily-claid women and may not be considered safe for work.)

“This is not a stable exploit (tested on Mac and Chrome. I do use Mac and Chrome so this is a big deal anyway),” Homakov wrote. "Your photo can be saved on our servers but we don't do this in the PoC. (Well, we had an idea to charge $1 for deleting a photo but it would not be fun for you). Donations are welcome though.”

The “clickjack” works in a fashion similar to previous attacks against Flash by hiding the dialogue that would prevent a hijack of the camera and mic behind another page element. This demonstration attack apparently needs to be tailored to the target browser, however. Ars has tested the exploit on Mac OS with Chrome and Firefox, Windows 8 with Internet Explorer and Chrome, and on Chrome OS; the exploit only worked consistently in Chrome browsers and not at all on Windows 8.

“The basic problem with Flash is that it doesn't have modal dialogues that pop up outside of the browser, which can alert the user to what's about to happen,” said Robert Hansen, director of product management for WhiteHat Security, in a e-mail conversation with Ars. “Because the dialogues are on the same page as the adversary's code, they can overlay things, make it opaque, and so on, to effectively hide the dialogue warning.”

Ars reached out to an Adobe spokesperson for comment on the exploit, but the company has not yet responded.