Slashdot Mirror

← Back to Stories (view on slashdot.org)

Freaky Flash 6 Fishy Features

Posted by chrisd on from the what-are-they-thinking dept.

donpardo writes "I upgraded to Flash 6 last week (to patch a security hole). When I right clicked on a Flash ad at abcnews.com, and pulled down to Settings I got a tabbed dialogue box asking if I wanted to give them access to my cam and microphone. Clicking through on the tabs revealed that the microphone and the camera had already been detected and that the microphone was active. I doubt the camera or the microphone were sending information out but this still seems invasive. Here are Macromedia's statements about the mic and the camera. In addition there is a setting to ask how much information the site can store on your computer. The default value is 100K. According to the information statement "Data can be anything from your user name to your current score in an interactive game to a list of stocks in your portfolio ... The data is not public, but the privacy of this data depends on the policies of the web site where the movie is hosted."" I thought the first sentence of this submission was telling ...

9 of 284 comments (clear)

  1. Internet Awareness Anyone? by Scotch+Game · · Score: 5, Insightful

    Okay, security's important, but come on people. The settings are configurable, the policy is easy to understand and what we're talking about in terms of the data being stored is essentially what amounts to Cookies for Flash. The camera and mic stuff can be turned off. If you don't like Flash this won't make you love it and if you love Flash this won't make you hate it. So people are posting about WHAT exactly?

    "I have to turn my camera off for Flash! Invasion of privacy! Invasion of privacy! Cookies are evil! The sun is disappearing, the dragons are coming! The dragons are coming!

  2. Re:What business does a player by Graspee_Leemoor · · Score: 3, Insightful

    Well someone might want to write a flash program that allows you to upload pictures of yourself, or sound clips.

    Honestly, if you're this paranoid you should be more concerned that your OS has control of your camera and microphone, since your OS was written by Microsoft!

    graspee

  3. It's not all that bad by seangw · · Score: 3, Insightful

    If by default your options are turned off, then is there really any large amount of harm?

    Storing information on your computer is an old practice (cookies), and contrary to popular belief, isn't all that bad.

    How many of you stay logged in on slashdot when come back to the site? That wouldn't be possible without "maintaining state" between visits.

    Personally I commend Macromedia for giving developers access to such important features (stored variables) and trying to get others into the mainstream (integrating video and mic).

    If you think this is an underhanded deed, then why don't you check your cookie files, you'll see quite a few, 90% are there solely to help you (10% could be tracking information, which in the end, just gives the user more relevant information).

  4. Uninstalling Flash by FattMattP · · Score: 3, Insightful
    One of the best things I ever did for myself was uninstall flash from all my browsers. 99% of the time Flash is just needless eyecandy, IMO. I also set my activex settings in IE to disable activex entirely. That way I don't even get prompted over and over to install it.

    You can find information on how to uninstall Flash here: http://www.macromedia.com/support/flash/ts/documen ts/remove_player.htm

    --
    Prevent email address forgery. Publish SPF records for y
  5. How can Flash be removed? by Futurepower(R) · · Score: 3, Insightful


    How can Flash be removed from 1) Windows, and 2) Linux?

    Reasons not to run Flash:

    Flash presents unknown security risks. Sometimes Flash and other Macromedia products have been the point of entry of trojans and viruses, as mentioned in this documentation of a very serious bug, Macromedia Flash Activex Buffer overflow.

    Flash on a website advertises Flash. There must always be some notice that says "Download Flash if you don't have it", and a link to Macromedia, so that web site viewers can get the latest version. This forced added content distracts from the intended content.

    Flash is nearly always used to provide images that are irrelevant to the content. Except for those who care about bright, shiny things more than content, Flash gets in the way. Flash authors are seldom qualified to provide moving picture content, and, even if they were, Flash is a very limited cinematic tool.

    Flash often causes long load times. Long load times communicate that the website viewer's time is less important than the website creator's love of movement. Flash often causes Website viewers to wait for "Loading..." messages.

    For website viewers who do not want to run Flash and other Macromedia software, or cannot, web sites using it are broken.

    By using Flash, authors of Flash content may cause the URL of their customers to be transmitted to Macromedia. If some disloyal Macromedia employee, or Macromedia itself, thought of some profitable reason to approach those customers directly, Flash content authors could lose business.

    Flash content is proprietary content. It is the money-making scheme of one company. This tends to undermine web standards like HTML. The Internet is a public utility for all of us to use. Proprietary methods go against that spirit.

  6. Re:What business does a player by GoRK · · Score: 4, Insightful

    MOTHER OF GOD that is so SINISTER of them. Surely, the bit is there to serve SATAN!

    I mean, how could it serve a legitimate purpose if you were using your webcam for, say, security purposes - to watch your empty office or house while you were away, or you just didn't want the LED to blink when it took a picture for say - your robot vision app? Won't someone PLEASE get these hardware engineers to stop including useful features in their devices?

    The intel webcams have always had this nice little shutter on the front that you can close. A very nice feature.

  7. Sandboxed? by theolein · · Score: 3, Insightful

    Flash started off as a very interesting technology about 6 years ago, and gained popularity amongst users because it was small (142k download or so), relatively innocuous (Only two exploits so far AFAIK) and it brought those things to the web that java applets had promised but failed to do. There was a huge demand for Flash coders in the middle of the Dotcom boom, especially when Flash 4 hit the scene with scripting abilities, allowing developers to make fancy interactive sites, and even more so when Flash 5 came around which improved the scripting and performance yet still remained small and relatively safe.

    What happened?

    Thousands of dotcommers made enormous flash intro animations to their sites (about half of them forgetting to make a "skip intro" link), which rapidly irritated many many visitors to said sites (a study on the irritation factor of flash intros and banners would be *very* interessting). At the same time as the dotcom scene started crashing around everyone's ears, desperate internet marketing whizzes decided that flash would be a brilliant vehicle for advertising, pushed along by an equally desperate Macromedia, whose products were no longer selling like hot cakes. The results of those ideas can be seen on almost every portal on the web (ZDNet is my favourite with slashdot also not doing too badly), and visitors reactions are known to everybody it seems except for the mindless marketing people who push it. In this way it is very similar to spam.

    Macromedia spent a fortune on making Flash a tool that would liven up the web and make colourful, interactive, animated, dynamic sites possible especially in conjunction with macromedia's backend flash application server, generator. Apart from a host of sites early on this trend has died out almost completely, because what macromedia didn't realise is that just like web designers/coders have to cope with different browsers, they also have to cope with users who haven't and won't use the plugin, and therefore go for the lowest common denominator in websites:html with one or two pics etc. Flash didn't save a single dotbomb from going under.

    Now, just like any other large company (ahem), they need to add "features" in order to carry on making money with their product. Flash 6(MX) now has built in video, microphone and cookies. I very much doubt this is suddenly going to improve the content of all the Flash we've been getting, although it may kill one or two other companies' media players(Quicktime, WMP, Real) but, in moving out of the traditional small player that they've had, it will fast become larger, and someone is sooner or later going to find some hole in their player (actionscript getting access to the drive while ostensibly looking for cookies? Exploiting a hardware driver(keylogger)?). For all my irritation with Sun's Applet saga and java on windows, Sun worked very hard to make the language and VM design secure (and the fact that of the few exploits with browser JVM's being mostly in MS' JVM does show this). Macromedia doesn't AFAIK have that much experience in security wrt clientside technologies and time will tell what will happen with this player.

    I used to be a Director programmer and with Director you could pretty much do anything on the client machine with no checks and shockwave, director's browser plugin went in the same direction as flash is going: first a straight player and then with laetr versions you could download all sort's of xtras onto the client machine. I once, as a security test, wrote a screensaver with shockwave, that everybody in the company loved (it even won an award for design). What no one realised until we tald them, was that the screensaver had been merrily scanning people's drives in the background and uploading filelists to us.

  8. This could be VERY bad by techmuse · · Score: 3, Insightful

    for anyone using voice recognition, or any other application where keeping your mike at the CORRECT
    level is important. What right do they have to change my settings?!

  9. Re:a bit alarmist, no? by moncyb · · Score: 3, Insightful

    Let me tell you this. No one wants to look into your webcam unless you are only slightly over 18, female and have an aversion to wearing clothing.

    You're a bit naive.

    So you're saying that no one would want to see a CEO's webcam that has confidential papers in view of the picture? Papers that could give a competitor an advantage? (or anyone--such information could make a person very rich in the stock market) ...or how about a credit card in view of the cam. Maybe those items would be hard to read, but someone could get lucky, and the mic wouldn't even have this sort of problem if any of this info is spoken aloud. In fact the mic could probably catch information that is even more sensitive...

    Maybe they don't really want to look at your webcam pics, but use them to embarass you. Ever use your computer in your underwear? Ever change in front of your webcam? Ever pick your nose? Those events could be posted all over the internet.

    It isn't being invasive, it's off by default. Go cry wolf where it's important.

    So it is off by default. That doesn't guarantee that the plugin doesn't have a bug somewhere that'll allow a webmaster to get access to the webcam or mic anyway. It's another possible way some wacko can access your system. Granted that the most used browsers have known security holes that are much worse, so to some degree you have a point, but it is still a concern.