18 Comments

Summary:

One of my readers, Jonathan Hirshon, sent me this email after he accidentally right-clicked on a Flash ad that happened to sneak past his ad filter and grabbed its source URL… > After checking Macromedia’s online privacy manager on my iMac, I was horrified to learn […]

One of my readers, Jonathan Hirshon, sent me this email after he accidentally right-clicked on a Flash ad that happened to sneak past his ad filter and grabbed its source URL…

> After checking Macromedia’s online privacy manager on my iMac, I was horrified to learn that Flash 7 (and presumably 8) gives advertisers the option to not only capture data from your mic or video camera – but to also store data separate from your cookie files that can be read by macromedia.com (and presumably its advertisers, though I am unsure of this last point). Click the 4th tab on the privacy manager and check the ‘Website privacy settings’ and see what sites you have visited that have already stored info on you and whether they have the ability to remotely access your A/V equipment.

Now the big this Macromedia will say, well its in our privacy manager and we are not hiding anything from you. The tiniest of tiny fine print like that is most often never read by consumers. I think we need someone like Eliot Spitzer to step up and make the big tech companies spell this out in clear, and plain english in big bold letters.

  1. This has been a feature in Flash for years. Nothing new and it just allows for stuff like Odeo’s upcoming podcasting application.

    Share
  2. even so jon, this is a bit of news to me. i had no idea that the information (from my computer) was so easily shareable. they should have been more upfront about it. i am not sure i will use odea because of those reasons.

    Share
  3. Chill out dude… The flash soapbox items (the equivalents of cookies) that are stored by a flash movie loaded from domain.com are only accessible from the same domain.com (not even from *.domain.com) under default settings. And yes, this has been there since flash 6.

    Share
  4. Jonathan Hirshon Saturday, July 23, 2005

    All possibly true – but I for one just learned about this now and was horrified to learn that some website could remotely access my webcam and mic. Sure, it might be old news to some – but I think the vast majority of users know NOTHING about this.

    Cookies aside, can you imagine a virus or worm that somehow rejiggers your settings so a remote hacker can turn on your webcam or mic at will – the possibilities for that kind of privacy invasion should scare anyone!

    Macromedia should put it in big, bold words during the install process that websites have the ability to remotely acess your A/V hardware and GIVE YOU THE OPTION TO PERMANENTLY SHUT THAT DOWN.

    Some people may have a need for this, and power to them – but the vast majority of people don’t, and Macrodobe should really be upfront on this one, IMHO.

    Share
  5. I read your blog regularly, and really enjoy your work. With that said, I really think youve missed the boat on this entry, and are mis representing the security vulnerability of Flash. The flash player cananot access your mic or vid cam without you first granting permission. When a flash app is built so that a user can communicate with someone else, such as with a video or audio conference, users who join the conference grant permission, or allow the session to engage their video cam and mic. Macromedia, or the flash developer can’t sneak in and take control of your camera or mic.

    Share
  6. Unplug the camera when you are not using it, same for the mic.

    There problem solved, and we did not need some government regulation.

    BTW: did you know your phone’s mic is always live and can be used by the police to linten in on you?

    Share
  7. Malik on SWF cams

    Malik on SWF cams: My thanks to those who posted accurate info in response to Om Malik’s under-researched promotion of an email he received about “Hey, what’s that webcam control in the Macromedia Flash Player!?” Recap: You can explicitly consent…

    Share
  8. “i had no idea that the information (from my computer) was so easily shareable.”

    It isn’t — a quick web search on terms like “site:macromedia.com webcam privacy” will turn up info without frightening the horses.

    Recap: Two-way live video communications were added to the Macromedia Flash Player in March 2002. The default is no access unless you explicitly click otherwise. The only problem I’ve seen in the past 3.5 years has been a similar under-researched A-lister scare back in Dec02.

    If you ever have a privacy or security concern with Macromedia technology, then it would be to everyone’s interest to have it addressed:
    http://www.macromedia.com/devnet/security/security_zone/alertus.html

    “Now the big this Macromedia will say, well its in our privacy manager and we are not hiding anything from you.”

    No need to hypothesize or project — if you can’t research it on your own then checking in beats making up quotes.

    Regards,
    John Dowdell
    Macromedia Support

    Share
    1. John,

      Shame on your rebuttal and the company you work for. It is disgusting to think you would reply with such gibberish. The fact is, ADOBE/FLASH HAS CROSSED THE LINE. Having ANY hooks that would allow access to my Microphone or Camera or store information locally WITHOUT MY DIRECT CONSENT (ever thought of OPT IN, verses having to OPT OUT!!), is nothing short of dishonest and plain WRONG!

      The best is making users GO TO YOUR WEBSITE to make changes to flash settings? Don’t get me started. It’s wrong, and you are getting away with it for the time being but more and more people are becoming aware of the spyware practice of Adobe and the like.

      Share
  9. John

    those are not quotes, but you turn them into quotes. you know what i never found those security and privacy alerts because the damn software came bundled with the computer and believe it or not, i had no idea about this issue till it was brought to my attention.

    Share
  10. Also John you miss the point, the idea here is to make simple and clearer. JD makes fun of A-listers who picked up on it, but then as a company you never made it easier for folks to figure this out. My big problem is that companies like Macromedia don’t explicitly state privacy and security policies in plain english, in big type, that normal human beings can understand.

    Share

Comments have been disabled for this post