Smile! Hackers Can Silently Access Your Webcam Right Through The Browser (Again)

You know those people who put tape over their laptop’s webcam to keep digital peeping toms at bay? They’re not crazy.

A new proof of concept is making the rounds today that demonstrates how a hacker can snap pics off your webcam, right through the browser, with no consent required.

Well, technically, you are giving consent. You just wouldn’t know it.

Outlined by security consultant Egor Homakov, the hack brings in a few old tricks to work around Flash’s requirement that a user explicitly grants a website permission before it can access their camera or microphone.

Without going into to much detail, the demo uses a bunch of fancy CSS/HTML trickery to render Flash’s permission prompt in a transparent layer, placing the now invisible “Allow” button directly above something the user is likely to click — like, say, the “Play” button on a video.

The basic technique, dubbed Clickjacking, is nothing new. I’d actually generally avoid writing about things like this, if it were new, to keep the word from spreading before the companies got a chance to fix it — but these techniques are already very well known in the hacking world. In fact, a post on Adobe’s security blog suggests that they fixed the bug (or a similar one) way back in 2011. “No user action or Flash Player product update are required,” it reads.

And yet… it still works. We tested the proof of concept on the latest build of Chrome for Mac, and it pulled from our webcam without issue or any visible prompt. Others have found the exploit to work on IE10, but it seems to be patched on the most recent releases of Safari and Firefox. When it works, the only evidence that the camera was ever accessed is a near instant and oh-so-easy-to-miss blink of the LED indicator.

You can test the proof of concept yourself here (Heads Up: If you consider girls in bikinis to be NSFW, that link is NSFW. Also, it’ll take a picture of you, though the author claims he’s not storing them — but clarifies that someone could, if they wanted).

If your browser doesn’t visibly render the permission box and clicking the play button snaps a picture of you, your browser fails the test. If it shows the permission box or blocks the click, you’re safe (from this specific exploit, at least).

So, why is this a big deal? Imagine you’re perusing some of the Internet’s more, erm, intimate websites. You’ve fallen down the rabbit hole, finding yourself 3 or 4 sites away from the trusted one you started at. You click “Play” on something that suits your particular fancy and.. surprise! The LED on your webcam flicks on, and two seconds later you’re looking at a freshly snapped picture of yourself on screen, hands …wherever they might be.

Fortunately, getting a solid layer of protection against such exploits moving forward is pretty straightforward. For one, you can tape up that webcam — it’s a bit tinfoil hat, sure, but it’s better than having a photo of your bad bits blasted out to the Internet on some shady-ass Tumblr. Second, consider using Firefox* with something like NoScript, disabling it only for trusted sites.

As published on http://techcrunch.com/2013/06/13/smile-hackers-can-silently-access-your-webcam-right-through-the-browser-again/

About Shailendra Nair

AI Generalist & Executive Tech Leader in Insurance & Benefits Tech. Driving growth, trust, and resilience from AIG to Marsh McLennan. I am an AI Generalist and Executive Technology Leader with a career dedicated to reimagining how insurance and benefits ecosystems work in a digital first world. My expertise spans Insurance & Benefits Tech, digital transformation, and cybersecurity, with a proven ability to turn technology into both a growth engine and a resilience enabler. I have worked with global leaders such as PepsiCo, Allianz, AIG, and Marsh McLennan, experiences that gave me a rare mix of perspectives across insurance carriers, broking, and benefits advisory. This combination allows me to design solutions that balance global standards, local compliance, and client expectations while driving measurable business value. My strength lies in full stack insurance technology leadership, covering Property & Casualty, Life, and Benefits. I bring hands-on expertise in infrastructure, cloud, security, and enterprise architecture, combined with data platforms, AI automation, and digital ecosystems. Having led across this spectrum, I can translate complex technology into practical outcomes that deliver trust, scale, and innovation. As an AI Generalist, I focus on impact: • Building automation first operations that scale efficiently. • Designing chatbots and intelligent assistants to empower employees and clients. • Deploying AI-driven QA frameworks to improve speed and accuracy. • Exploring agentic AI roles to support compliance and transformation. My philosophy is simple: technology should reduce friction, inspire confidence, and accelerate growth. I design platforms that enhance sales, revenue, and client stickiness, proving that tech can directly enable business outcomes. At the same time, I remain deeply client centric a solution enabler who thinks out of the box to solve real challenges and deliver measurable ROI. 🌍 What excites me most is reimagining benefits ecosystems for the future of work. Employees demand seamless digital first experiences, organizations need efficiency, and regulators require trust and security. My mission is to build ecosystems that are secure, resilient, innovative, and human focused.

View all posts by Shailendra Nair →