this is AWESOME i need the quartz file for this, also, i see where your coming from with the lille being insecure thing, but the green light pops up (at least on the MacBooks, MacBook Pros, and iMacs, i dont know about the stand alone iSight) so you will know when its happening and you can take proper actions
Joseph Crawford
· 3 years ago
it works on the standalone as that is what i have. I thought this was a sweet trick, however i find it could be insecure and we could be spied on lol. I will update when i know more :)
kris
· 3 years ago
dude this is amazing. props, i dugg it.
kris
· 3 years ago
nice... i got it to work in a quartz composition. how exactly do i embed it into my site now?
Joseph Crawford
· 3 years ago
view the page source :)
Cameron Hunt
· 3 years ago
You know that the video feed is all local using this medod, right? Using a Quartz Composer file, you manage to show the users their own iSight, but the video feed does not leave their machine. For instance:
Using a Quartz Composition like you have, the video feed goes like this: iSight > Quicktime Plugin > Web browser display
It never leaves their machine, and won't affect the security of their machine. Try getting someone else's iSight to show up on your computer, or written to you web server and then we'll have some news.
And BTW, it didn't work in Safari in my Intel Mac, just in Camino.
Gareth
· 3 years ago
That's really cool, and scary at the same time. Thank god for the little green light on my macbook, at least I know when it's watching.
Adrian
· 3 years ago
Yes that is genuinely scary.
(although i'm very impressed by the quality!)
It makes me think twice about my plans to buy a new macbook pro when CS3 comes out...
christian
· 3 years ago
man, this is indeed scary! great work though!
Martin
· 3 years ago
I'm amazed that no-one has found this out before. iSight cameras have been included in Macs for ages. It's a cool trick but I suspect it's entirely local (at the moment)
osbjmg
· 3 years ago
This doesn't show anything, can YOU see MY webcam output? I think not, this is lame.
jin
· 3 years ago
This is not scary. It's same as making the screen black and show you your reflection. QC does not have a file output patch so it is not able to send it out to any url.
I've done this with the Audio Info and the sreensaver to freak out people in the office.
Matt
· 3 years ago
This is cool. On my macbook pro a little green light comes on letting you know the camera is on. If someone could figure out how to turn on the camera without the light, that would be sweet.
matt
· 3 years ago
If somebody wants to see me jerking off to internet pr0n then so be it.
Good find however.
Someone Smarter
· 3 years ago
Guys, this is not scary and not impressive.
This is a Quartz Composer module that lets you use the iSight as an input device. QuickTime can play QC compositions and QT can be embedded in a webpage. There ya go.
It cannot be transmitted, saved, or accessed outside of the composition, and the composition cannot transmit the data in any form, only process it for display.
gkid
· 3 years ago
Very cool trick. Luckily enough.. When the iSight cam comes on, it is accompanied by a green LED that lets you know it is on. If you are being watched, the light should come on, right? This trick would be really spooky if they could come up with a way to get a feed from the camera without the light turning on.
IaN Smith
· 3 years ago
It's not entirely local, or else iChat wouldn't be able to use it. I'm sure there's a way to exploit this, and it would be nice if Apple had a sys prefs for it to disable it completely.
Duncan
· 3 years ago
But isn't the video just 'local'. Just because it's using my iSight doesn't mean it's available remotely.
Another cool thing to do in compositor is to set a attribute (like size) to your audio in. So the movie resizes (or changes colour etc.) when you clap. People love this kinda thing.
You can also use these as screensavers. A hell of a lot of fun!
Josh
· 3 years ago
Pretty scary stuff. As one poster said, thank goodness for the green light.
As of yet do we know any way to turn the iSight on without activating or by deactivating the green status light?
Storn
· 3 years ago
Yes, this is a very misleading and naive post. You can not monitor this remotely, it's simply displaying the local feed and does not compromise your security in the least. You should really correct your article.
Ed Black
· 3 years ago
Just as a matter of interest, this is something that was quite deliberately implemented.
There is no exchange of video with the outside world, it never leaves the local context and is the equivalent of a "file:///" link.
For that reason, the phrase "can be viewed remotely" is not accurate, as it can not.
>>And BTW, it didn’t work in Safari in my Intel Mac, just in Camino.
Really? 'Cause it worked in mine on Safari...
JimW
· 3 years ago
Works for me, too... Not with an iSight, but with a digital cam attached via Firewire to my G4 tower.
Greg Lloyd
· 3 years ago
This is not scary and works as designed. If programmers didn't have the ability to turn on and off the iSight and display it locally then how would they write programs that use it? Skype and ichat basically do the same thing when you are video chatting with someone else, except they send to the person/people you are chatting with, how do you know skype isn't sending it to george bush too?
darkfeary
· 3 years ago
Hmmm must work only with that cam because it doesnt work with a Quick Cam . bummer i wanted to see what it was about to .. ah well.. lol
Sean
· 3 years ago
This is not being view remotely. It's just passing the feed from your camera to a placeholder on the page - all client-side, nothing going to the server - his site would have come down with the bandwidth requirements by now if it was going to his site and back. Remote viewing my arse!
Sean
· 3 years ago
This is all local/client-side - if it wasn't, this site would have come down with the streaming bandwidth requirements.
Remote viewing my arse! (Hi mum!)
progosk
· 3 years ago
i'm on a pbg4 running panther with firefox and a firewired isight, and all i get is a quicktime window saying there's a component missing.
eldertaco
· 3 years ago
I fail to see how this is "scary" unless whatever your iSight is pointed at is scary.
As for it being a security risk, maybe slightly and if that's the case expect to see a patch.
some bugger
· 3 years ago
well, this has been around for a couple of months. it's just that ... locally displaying your own video stream. not to be scared of.
Joseph Crawford
· 3 years ago
guys you can call this naive if you want, I also stated i was not sure it could be viewed remotely. I also stated i was not the original finder.
Anon
· 3 years ago
Could javascript access the quicktime instance?
ben
· 3 years ago
you've proven that you can view your own feed ... but how can others view yours? wouldn't they just view their own?
quartz composer is a plugin set within iMovie right? or am i missing something here?
worldpeace, ben
IaN Smith
· 3 years ago
Quartz COmposer comes with dev tools, required to see what this is about. Anyway, this post is misleading (unless read carefully all the way through). I think you should change the title before you need to call the fire department to put out the flames...
Daniel
· 3 years ago
I'm running Firefox 2.0 on an Intel Mac, works perfectly. Scared the buggery out of me for a sec there
Peter Kirn
· 3 years ago
Well, it's scary in that the connection can be without your permission (although only locally ... no way to retrieve the image data, though that could potentially be possible and thus a security hole).
Flash has had the same feature since Flash 7, but requests access to your camera and other devices for security purposes. (Flash can also do slightly more with the image once it has it, at least in 2D.)
Viewers, this is ridiculous if you think this is an actual security threat. Your computer wont just start broadcasting video upon a random request. Why would it be listening for that request without your permission. The reason the video is so clear is because it is a local feed, just displayed in a browser rather than a camera feed application like photobooth. This is NOT a security threat. Wait to be scared when it is demonstrated that you can gather the feed from someone ELSEs iSight without having it pre-setup to actually serve this purpose.
... You guys need to learn a little bit more about the internet and how it works. Big Brother is NOT watching...
marek
· 3 years ago
OMG do you have a microphone on your computer?! THAT MUST MEAN EVERYONE IS LISTENING TOO!
WITHOUT YOU EVEN KNOWING?! I HOPE YOU HAVE A MUTE SWITCH ON YOURS AND REMEMBER TO TURN IT OFF WHENEVER YOU'RE NOT USING IT!!!!
Maybe people are listening in on your conversations even when you are using it too!?
OMG...
... No, again, this is not happening. iSight is no different than any other input device, it simply inputs video. keyboards input type, mouse inputs tracking and clicking, microphones input sound- iSight inputs video. Just because it has the ability to broadcast video, doesnt mean it just does it without you telling it to do so and ESPECIALLY not without you knowing about it.
Please learn about how the internet works before screaming "bloody murder" all over the place. This is not neat, nor is it a trick. It does not expose you to security threats or anything.
... enough said. the people that are scared of this wont even bother reading the comments posted by others, they will just hop to the bottom in panic saying "OMG what a security threat!" "I can't believe this!" "I will think twice about jerking off w/ my computer again!" "Hope everyones not watching my cyber affair!"
... ...
...
Andrew
· 3 years ago
Incredible! I don't have any iSight, but I do hook up a regular Firewire camcorder to do video chat through iChat, and this works with that as well!
Flatron
· 3 years ago
Cool !
it works here without an isight cam (logitech quickcam with ichatusbcam)
Nili1968
· 3 years ago
works also with my quickcam
NJ
Miek
· 3 years ago
I don't know who's more annoying: The moron who's written this to trick people or the absolute fools who keep believing this tripe even after others have rightly pointed out that it's just a local view of your own webcam. Far out.
If you checked the post you would see that your first link is linked in my post.
Also if you guys read the post you would see that i said i was not sure if it was a security risk or not, I also stated i was not the original person to discover this trick, which is why i linked to the oreilly link in the post.
So this may be old news but it sounds to me like there are still a lot of people who did not know this was possible, including me as i am new to the Mac.
I am wondering if there is a way to grab the video feed or even stills from the feed using javascript and having them uploaded to the server somehow.
I am going to dig a bit deeper but if it is on the screen there is probably a way to make screen shots of the camera.
Maybe there is not, but it's worth digging into and finding out.
Godrifle
· 3 years ago
Before you freak out (oops, too late), this functionality is no different than a web cam, if you add AppleScript/Javascript/WhateverScript to upload to a web server.
Big deal.
Roland
· 3 years ago
Man, this is scary. Security risk or not, I immediately turned off my iSight!
TJ Lambert
· 3 years ago
The MacInTouch page blogging this page shows my external FireWire DV cam, but on this page, it turns on my built-in iSight.
Interesting, as my FireWire DV doesn't light up the red 'recording' light when it's activated by this script, but the iSight does.
I've got a new iMac core2 duo 20".
devil's advocate
· 3 years ago
Let me preface this by saying - I know nothing about iSight video or the Mac's video interface in general. I don't have one - and I don't use it. So I'm interested purely as a specator in the Mac community.
If I were approaching a challenge to hack the Mac video system so that I could view video on someone's iSight (or other) video camera without their approval or knowledge, I would go down the list of hurdles and figure out how to overcome them one by one.
Maybe this "trick" isn't new - but getting the camera to turn itself on remotely is certainly one of the hurdles. I would think the next would be to do the same without activating the light or notifying the user that it's done so.
Another might be to get it to broadcast the video - or possibly just to record it, and upload/save it somewhere for remote viewing at a later time.
I don't know that any of this is possible. But instead of calling the guy naive - why not write up a detailed explanation for the "common folk" of why this can't and never will be exploited so they don't feel like this is a "Big Brother" situation?
Joseph Crawford
· 3 years ago
devil's advocate
The reason people were calling me naive is because i was stating that it was being streamed and i was incorrect. This infact is not being streamed anywhere. The embedded quicktime movie basically turns on your web cam and shows it in that movie. It is all done locally which is why the video quality is so great.
As for streaming or recording this i am not sure that is possible. I mean I am sure you can record it however you would have to have an exploit installed on the visitors machine before you could do anything with it.
I am not that advanced with the mac yet so i am not sure if you could use some scripting in the page to make it execute an FTP command in the background or not.
However all of the JavaScript developers i have talked to say it is not possible to do a screen capture and upload the images to anywhere with the current default security settings in the browsers today.
I am going to continue trying to see what can be done as far as the light, and or uploading the results, however nothing goes to my web server so i cannot just cache the stream or screenshots.
Nothing ever leaves the end users computer.
Joseph Crawford
· 3 years ago
Godrifle: This is not the same, nothing is being uploaded anywhere.
Dave Schroeder
· 3 years ago
The iSight "hijack" is nothing more than a QuickTime movie embedded in a web page that displays the locally-attached iSight on the local computer. This has nothing to do with the internet or the web just because it appears in a web page. This is a feature of the iSight, and QuickTime movies can easily be embedded in web pages. The fact that it's a QuickTime movie that displays the output of a locally attached iSight is incidental.
To be clear, this only allows a locally-attached iSight to be viewed locally. For someone to view this content remotely, they'd have to already have compromised and have control over your machine, something that we know from experience isn't likely. (Also, even if a machine was completely compromised, there would be hurdles to viewing the content remotely, live, easily. But if the machine was completely compromised and could be controlled remotely, essentially anything could be done with it. But that's a pretty high bar: the machine still needs to be compromised and able to be remotely controlled.)
If someone is really paranoid, iSight video digitization can be disabled completely by removing:
Incidentally, this is a way to disable the iSight on managed machines in settings where camera use is not desired.
However, if someone compromises your machine, which would be the only scenario in which someone could remotely view your iSight, obviously those items can simply be re-added. The point is that for this to be interesting, it requires the machine to be compromised. Otherwise, it's just displaying the local iSight to the local user.
I first viewed this demonstration on the MacInTouch web site. It scared the hell out of me! The fact the some malicious web master could grab an image or video of me without my permission or knowledge is frightening! Also I suspect it is illegal (at least here in the US). Imagine being able to peer into people's offices or bedrooms without them knowing- bad idea!
I use a Firewire iBot that does not have a lens cover. As I speak, it is now pointing down at the desk. Just because you CAN do this, doesn't mean you SHOULD! I know that Flash has settings that allow you to Deny these types of intrusions (viewing your video) without your permission. Perhaps Apple needs to build this into Quicktime!
Joseph Crawford
· 3 years ago
Rich,
Follow the comments :) You are the only one viewing your stream. It is done locally. No one can view your cameara from my site. Also it actually is not even hitting my site so there is nothing illegal about it.
Rich
· 3 years ago
Dear Joseph:
I did follow the comments, however the implication is that this can be done remotely without one's knowledge or permission. That is what is scary. Otherwise what is the point of viewing your own web cam on a web page?
It shows that this kind of thing can be done and it is one step away from doing it remotely. If you just created this as a simple parlour trick, then it is really "neat", though the implications are frightening.
Joseph, you are obiviously a bright man, I am afraid that this could be used in a less than honorable way in the wrong hands and some tweaking.
Rich
Joseph Crawford
· 3 years ago
Rich,
I wouldnt go as far as saying i am bright when it comes to the mac lol I honestly just started with them. I did not create this hack yet i followed the instructions on the page (which i linked) I am not the person who discovered this hack.
Rich
· 3 years ago
Thanks Joseph!
Through your posting of this previously published hack, you have brought it to the forefront and hopefully this potential exploit with be patched before someone less than honorable uses it for their own benefit.
Rich
Dave Schroeder
· 3 years ago
Rich,
This CANNOT be done remotely without your permission, period.
This is a Quartz Composer composition saved as a QuickTime movie. QuickTime movies can be embedded and autoplayed in web pages. It uses known features of both Quartz Composer and QuickTime. This also isn't new (I saw demos of this, including from Apple itself, over a year ago).
Also, this is NOT remotely exploitable. That is not an opinion. There also isn't any way to record or store anything with this mechanism, much less send it somewhere. Some other exploit would have to be used to compromise a machine, at which point anything could be done with it (including using QuickTime Broadcaster to send video from the iSight, for example).
To me the larger issue is whether or not Apple should offer an easy way to disable/cover the iSight, or offer an option to delete the iSight hardware for government/military sales. This little "trick" is just a reminder that if there were a genuine exploit (which is NOT made easier by this nifty trick) where someone compromised a machine, the camera is available for use.
Again, this little trick does NOT make any exploitation of the camera easier. There would still have to be some other compromise in which an attacker has already gained complete control of the machine to make any use of the camera. This plays off the fact that making something appear in a web page evokes notions of "Oh wow, since it's in a web page, it must have something to do with the internet" or "it might be vulnerable to a web or Safari exploit," neither of which are true.
If another vulnerability was used that allowed enough access to the machine to do something with the camera, they'd already necessarily have a level of access that would allow the attacker to do pretty much *anything* with the machine; embedding a Quartz Composer composition into a QuickTime movie and the fact that it can be embedded in a web page does not make such an exploit or attack any more or less easy, period.
All this reminds me of what Sun was first advertising/releasing Java. I spoke out saying it posed a serious threat to security by giving amateurs such power. I was hooted down by people quoting Sun's advertising about security and geniuses testing it... Guess who was right.
Anyway, all of the statements regarding its no threat disregard all of the cool things hackers and scammers can do with our computers. And sometimes I kinda feel people are patting themselves on the back with their posts.
One company sells software to capture the music feed from protected cds and convert that to a file. SnapZ Pro and other appls capture images from the screen.
If the video is there, its being stored somewhere in RAM or VM and so that can be read and processed.
My guess is that it is only time before someone does produce a program to capture the video and it is probably being done now. Oh, your cell phone with its camera is also a possibility.
Well, I know I will be wearing more clothes from now on... :)
Dave Schroeder
· 3 years ago
Rich,
I didn't even ready your last reply until I had already posted by previous one.
This is not an exploit, and won't be patched. It's a feature of Quartz Compositor and QuickTime, and no one "less honorable" can use this for anything.
The fact that it is a QuickTime movie that happens to display your local iSight to you within a web page is incidental and irrelevant. It does not make any kind of remote exploitation of your iSight easy, or even possible. If someone had a level of access to your machine that did allow exploitation of your iSight, they would already have control over your entire machine and would be able to do anything anyway.
This nifty little trick does NOT make such exploitation possible, or even easier, period. If anyone still thinks it does, or that it might, or that they're not sure, they simply do not understand the most basic elements of what is happening in this demonstration.
While this is all interesting, you're incorrect. This is no threat. This particular mechanism does not allow recording, by its very nature.
If someone had a level of access to your machine necessary to use your iSight surreptitiously, they already have control over your machine. This trick is just interesting to people because it makes them think it has something to do with the web or the network because it's in a web page. The only reason it's in a web page is because the QuickTime plugin can display QuickTime content in a browser. This is no different than playing a local movie on your hard drive in Safari. Does that mean your video can somehow be shared over the internet just because you're playing it in a browser? Nope.
This is one of those things, that if it gets critical mass, some irresponsible and incompetent journalist from a major media outlet will pick it up and run it with a really outrageous headline. This does NOT allow spying on you, does NOT allow anyone to use this remotely under any circumstances, and does NOT make any remote use of your camera in conjunction with an "exploit" easier. If someone used an exploit to gain any level of access to your system that would allow usage of the camera, they wouldn't be using a Quartz Composer movie in a web page (since that can't do anything at all). They'd be using custom code that archived or streamed or took stills or what have you from your camera, or they could use any number of other techniques to use and abuse your machine.
But *your machine would have to be exploited for this to occur*.
The fact that a Quartz Composer composition can be saved in a web page does *not make any such exploits easier in any way*.
Thank you all for your explanations, I guess the most disturbing part of this demonstration is that those cameras without a physical shutters are vulnerable. Perhaps not with this particular demonstration, but in other- yet to surface ways. There must be a System level preference to allow Administrators to determine how and if Users are permitted access to the iSight. Also there should be a simple shutter or dark shade incorporated into the embedded camera. The feeling I got seeing my groggy mug on the web page was that my privacy had been somehow violtated. I realize now that was not the case, but the feeling remains. From now on my external camera will be face down or unplugged until I want to use it.
Thank you for not calling me a moron! Rich
Joseph Crawford
· 3 years ago
Dave,
Thanks for taking the time to clarify the fact that it is not an exploit or security risk in any way.
I think my friends who are JavaScript developers eliminated the ability to use client side code to take a screen shot and upload it somewhere.
After some investigation that was the only way i could think you would be insecure as the client side code could run a screenshot. I am not sure if that is even 100% eliminated as there are more people out there i would like to ask about this to see if maybe there is infact a way to do this with javaScript.
Is there anything built into apple that blacks out the video on a screen capture? If Apple does nothing about that and if it is possible to do a screenshot and upload with JavaScript then i do see a security risk there.
What are your thoughts on this method Dave? If you feel it cannot be done please explain.
bbum
· 3 years ago
Yeah -- this has been around for a while. No -- no video is sent back to the server. Here is a version I did last year that stylizes the video to look like aHa's 'Take On me...'. No -- I'm not smart enough to write the original patch. Sam Kass did that.
Does not work in Safari! But Firefox render the page with picture!
Dave Schroeder
· 3 years ago
Rich,
You are correct that, if anything, this is a reminder that cameras without physical shutters, or the fact that cameras cannot be physically disabled or omitted in the latest iterations of Apple's products. It's also a reminder that if a machine were compromised, an attacker could potentially have control over the camera (as well as anything else), which could cause a variety of problems for secured environments (not to mention personal ones ;-).
But to be clear, this particular demonstration doesn't make such a compromise easier or possible. It merely serves as a reminder that such a compromise, in which an attacker had full remote control over the machine and could do anything with it anyway, could also use the camera.
Joseph,
As far as screenshots are concerned, a screenshot would still have to be taken, and then uploaded somewhere. Again, that is not possible unless it would be via some other mechanism of compromise. It's important to understand that this Quartz-Composer-in-QuickTime-embedded-in-a-web-page trick doesn't make any possible exploit that could take advantage of this easier.
Now, if there was some remote exploit where an attacker could take a screenshot of a web page and upload or capture it somewhere (which currently doesn't exist and I don't see how would be possible, but seems to be what a lot of people are saying), then, yes, this could be interesting. But the point is, some other MAJOR exploit is required to take advantage of this in any way. And if someone already had access to your machine in that way and wanted to use your camera, they're not going to trick you into going to a web page with a Quartz Composer movie in it - they're just going to use your camera. ;-)
The reason why this is "scary" is because you're seeing yourself on a "web page". But in reality all that's happening is you're seeing a QuickTime movie that happens to have an action to display a locally attached iSight that is embedded in a web page. There is no inherent security risk, real or perceived, from even turning on your iSight in this fashion. A security risk would imply and require that it could be used for something improper or without your knowledge, and it cannot.
Saying that it "turns on your iSight without your permission" is like saying that a web page is displaying text "without your permission." There is going to be this strong urge for people to say, "But...but...it's a *camera*! This *has* to be bad somehow!" But in reality, it's not. It's just a nifty trick with no security implications, which is why it's been around for so long, and even Apple itself has demonstrated how this could be done. It's the idea of seeing yourself unexpectedly on a "web page" that's startling.
Now, I will fully agree that iSights and Apple's integrated cameras should have physical shutters or the ability to be physically disabled and/or omitted completely from orders (particularly for government/military applications), but that is another issue altogether.
Also, using this trick to turn on someone's iSight might be a neat trick, but it's somewhat disconcerting. While it may be rude, as long as one understands the technical details of what is actually occurring, that's all that it is: rude. But definitely not a security risk.
Huh.....I have an iSight but it doesn't work. I see no picture, and my iSight is still off.
Jules
· 3 years ago
Awesome !! Would be cool to have the possibility to take a snapshot so this trick could be use, for example, on user registration : user could add a picture to his account. Just show the user face, then user click on "take a photo" then the photo is uploaded and added to his account , in his prefs.
Wow, you can display a local feed from an isight. So what.
Dave Schroeder
· 3 years ago
Jules,
That wouldn't be possible since there's no way to use this remotely.
You could, however, instruct the person to take their own picture with their iSight (e.g., with Photobooth) or other camera and upload it...
There no special way to "use" this in the way you describe just because it happens to be in a web page. I want to make this clear, because if people think that what you describe is possible, then there are ways to abuse it. (See my previous messages.)
It's weird that I see this now here for the first time, 'cause I just had a dream 2 or 3 days ago that Apple was actually working for some secret agency like the CIA. And all the macs had an iSight now so they could spy on people cause they had access to all of them through some software available only to them. :(
Dave Schroeder
· 3 years ago
Murdoch,
Except that's not what's happening, because that's not what this does. And if what you said were happening, it would be ridiculously easy to see outbound network connections being made, whether by wired, wireless, or any mechanism. That can't be hidden.
The only scary thing about this is that it is a picture of me. Whoa! who is that big fat bald guy? Oh its me!
Security is Not Just Technolog
· 3 years ago
Judging by the number of posters that find this scary, I think that one can safely conclude that this trick could be used to "Socially Engineer" an exploit. For example, someone could be convinced that you have video of them doing something embarrassing and that leads to blackmail.
Fanoo
· 3 years ago
And how do you turn it OFF ?
Joseph Crawford
· 3 years ago
What do you want to turn off?
Booperkit
· 3 years ago
Are there any patches that allow this to work with 10.3.9? Any ideas?
Leo
· 3 years ago
I found this info very interesting and useful. Thanx a lot.
Joseph Crawford
· 2 years ago
Thanks for all of the comments guys, I appreciate the feedback
Lou Ordorica
· 2 years ago
Joseph,
I'm looking for a way to show a small, borderless live video window to use in screencasting. The idea is to record the presenter while he is demonstrating software. Here is rough example:
Would you know how to do this without using a clunky Quicktime preview window?
Thanks
Joseph Crawford
· 2 years ago
Hello,
Honestly I would not be your best bet for advice here, maybe someone else who has commented on this post could help out.
Although it just looks to me like they are showing their video locally (could do it with iChat even) and screen casting it so that it is captured inline with what they are doing.
Jay
· 2 years ago
I now notice that the iSight pictue does not show up (Running Safari on my MacBook and iSight is not in use).
Perhaps the 10.4.9 update corrected this "security flaw"?
Joseph Crawford
· 2 years ago
Yea my site got messed up and I didn't notice this was not working, I will have to get this working again. Thanks for pointing this out.
Joseph Crawford
· 2 years ago
I have fixed the video :)
Joseph Crawford
· 2 years ago
It looks to me like Leopard has fixed this so it can no longer be used... bummer it was cool while it lasted lol.
Giovanni
· 1 year ago
hi my name is giovanni and my highschool has distrubited laptops to all of its students i was wondering if u could put this hack on my myspace for me because i cant do it on my own we dont have the dev. toolz please email me and let me know how u feel about this..
All Comments
Using a Quartz Composition like you have, the video feed goes like this:
iSight > Quicktime Plugin > Web browser display
It never leaves their machine, and won't affect the security of their machine. Try getting someone else's iSight to show up on your computer, or written to you web server and then we'll have some news.
And BTW, it didn't work in Safari in my Intel Mac, just in Camino.
(although i'm very impressed by the quality!)
It makes me think twice about my plans to buy a new macbook pro when CS3 comes out...
I've done this with the Audio Info and the sreensaver to freak out people in the office.
Good find however.
This is a Quartz Composer module that lets you use the iSight as an input device. QuickTime can play QC compositions and QT can be embedded in a webpage. There ya go.
It cannot be transmitted, saved, or accessed outside of the composition, and the composition cannot transmit the data in any form, only process it for display.
If you are being watched, the light should come on, right?
This trick would be really spooky if they could come up with a way to get a feed from the camera without the light turning on.
Another cool thing to do in compositor is to set a attribute (like size) to your audio in. So the movie resizes (or changes colour etc.) when you clap. People love this kinda thing.
You can also use these as screensavers. A hell of a lot of fun!
As of yet do we know any way to turn the iSight on without activating or by deactivating the green status light?
There is no exchange of video with the outside world, it never leaves the local context and is the equivalent of a "file:///" link.
For that reason, the phrase "can be viewed remotely" is not accurate, as it can not.
Really? 'Cause it worked in mine on Safari...
Remote viewing my arse! (Hi mum!)
As for it being a security risk, maybe slightly and if that's the case expect to see a patch.
quartz composer is a plugin set within iMovie right? or am i missing something here?
worldpeace,
ben
Flash has had the same feature since Flash 7, but requests access to your camera and other devices for security purposes. (Flash can also do slightly more with the image once it has it, at least in 2D.)
http://www.oreillynet.com/lpt/wlg/7409
or this site:
http://www.pycs.net/bbum/2005/5/19/
or even this site: http://www.mvldesign.com/video_conference_tutor...
???
...
You guys need to learn a little bit more about the internet and how it works. Big Brother is NOT watching...
WITHOUT YOU EVEN KNOWING?! I HOPE YOU HAVE A MUTE SWITCH ON YOURS AND REMEMBER TO TURN IT OFF WHENEVER YOU'RE NOT USING IT!!!!
Maybe people are listening in on your conversations even when you are using it too!?
OMG...
...
No, again, this is not happening. iSight is no different than any other input device, it simply inputs video. keyboards input type, mouse inputs tracking and clicking, microphones input sound- iSight inputs video. Just because it has the ability to broadcast video, doesnt mean it just does it without you telling it to do so and ESPECIALLY not without you knowing about it.
Please learn about how the internet works before screaming "bloody murder" all over the place. This is not neat, nor is it a trick. It does not expose you to security threats or anything.
... enough said. the people that are scared of this wont even bother reading the comments posted by others, they will just hop to the bottom in panic saying "OMG what a security threat!" "I can't believe this!" "I will think twice about jerking off w/ my computer again!" "Hope everyones not watching my cyber affair!"
...
...
...
it works here without an isight cam (logitech quickcam with ichatusbcam)
NJ
http://www.oreillynet.com/lpt/wlg/7409
or this site:
http://www.pycs.net/bbum/2005/5/19/
or even this site: http://www.mvldesign.com/video_conference_tutor...
If you checked the post you would see that your first link is linked in my post.
Also if you guys read the post you would see that i said i was not sure if it was a security risk or not, I also stated i was not the original person to discover this trick, which is why i linked to the oreilly link in the post.
So this may be old news but it sounds to me like there are still a lot of people who did not know this was possible, including me as i am new to the Mac.
I am wondering if there is a way to grab the video feed or even stills from the feed using javascript and having them uploaded to the server somehow.
I am going to dig a bit deeper but if it is on the screen there is probably a way to make screen shots of the camera.
Maybe there is not, but it's worth digging into and finding out.
Big deal.
Interesting, as my FireWire DV doesn't light up the red 'recording' light when it's activated by this script, but the iSight does.
I've got a new iMac core2 duo 20".
If I were approaching a challenge to hack the Mac video system so that I could view video on someone's iSight (or other) video camera without their approval or knowledge, I would go down the list of hurdles and figure out how to overcome them one by one.
Maybe this "trick" isn't new - but getting the camera to turn itself on remotely is certainly one of the hurdles. I would think the next would be to do the same without activating the light or notifying the user that it's done so.
Another might be to get it to broadcast the video - or possibly just to record it, and upload/save it somewhere for remote viewing at a later time.
I don't know that any of this is possible. But instead of calling the guy naive - why not write up a detailed explanation for the "common folk" of why this can't and never will be exploited so they don't feel like this is a "Big Brother" situation?
The reason people were calling me naive is because i was stating that it was being streamed and i was incorrect. This infact is not being streamed anywhere. The embedded quicktime movie basically turns on your web cam and shows it in that movie. It is all done locally which is why the video quality is so great.
As for streaming or recording this i am not sure that is possible. I mean I am sure you can record it however you would have to have an exploit installed on the visitors machine before you could do anything with it.
I am not that advanced with the mac yet so i am not sure if you could use some scripting in the page to make it execute an FTP command in the background or not.
However all of the JavaScript developers i have talked to say it is not possible to do a screen capture and upload the images to anywhere with the current default security settings in the browsers today.
I am going to continue trying to see what can be done as far as the light, and or uploading the results, however nothing goes to my web server so i cannot just cache the stream or screenshots.
Nothing ever leaves the end users computer.
To be clear, this only allows a locally-attached iSight to be viewed locally. For someone to view this content remotely, they'd have to already have compromised and have control over your machine, something that we know from experience isn't likely. (Also, even if a machine was completely compromised, there would be hurdles to viewing the content remotely, live, easily. But if the machine was completely compromised and could be controlled remotely, essentially anything could be done with it. But that's a pretty high bar: the machine still needs to be compromised and able to be remotely controlled.)
If someone is really paranoid, iSight video digitization can be disabled completely by removing:
/System/Library/QuickTime/QuickTimeUSBVDCDigitizer.component
/System/Library/Extensions/Apple_iSight.kext
Incidentally, this is a way to disable the iSight on managed machines in settings where camera use is not desired.
However, if someone compromises your machine, which would be the only scenario in which someone could remotely view your iSight, obviously those items can simply be re-added. The point is that for this to be interesting, it requires the machine to be compromised. Otherwise, it's just displaying the local iSight to the local user.
Regards,
Dave Schroeder
das@doit.wisc.edu
http://das.doit.wisc.edu/
I use a Firewire iBot that does not have a lens cover. As I speak, it is now pointing down at the desk. Just because you CAN do this, doesn't mean you SHOULD! I know that Flash has settings that allow you to Deny these types of intrusions (viewing your video) without your permission. Perhaps Apple needs to build this into Quicktime!
Follow the comments :) You are the only one viewing your stream. It is done locally. No one can view your cameara from my site. Also it actually is not even hitting my site so there is nothing illegal about it.
I did follow the comments, however the implication is that this can be done remotely without one's knowledge or permission. That is what is scary. Otherwise what is the point of viewing your own web cam on a web page?
It shows that this kind of thing can be done and it is one step away from doing it remotely. If you just created this as a simple parlour trick, then it is really "neat", though the implications are frightening.
Joseph, you are obiviously a bright man, I am afraid that this could be used in a less than honorable way in the wrong hands and some tweaking.
Rich
I wouldnt go as far as saying i am bright when it comes to the mac lol I honestly just started with them. I did not create this hack yet i followed the instructions on the page (which i linked) I am not the person who discovered this hack.
Through your posting of this previously published hack, you have brought it to the forefront and hopefully this potential exploit with be patched before someone less than honorable uses it for their own benefit.
Rich
This CANNOT be done remotely without your permission, period.
This is a Quartz Composer composition saved as a QuickTime movie. QuickTime movies can be embedded and autoplayed in web pages. It uses known features of both Quartz Composer and QuickTime. This also isn't new (I saw demos of this, including from Apple itself, over a year ago).
Also, this is NOT remotely exploitable. That is not an opinion. There also isn't any way to record or store anything with this mechanism, much less send it somewhere. Some other exploit would have to be used to compromise a machine, at which point anything could be done with it (including using QuickTime Broadcaster to send video from the iSight, for example).
To me the larger issue is whether or not Apple should offer an easy way to disable/cover the iSight, or offer an option to delete the iSight hardware for government/military sales. This little "trick" is just a reminder that if there were a genuine exploit (which is NOT made easier by this nifty trick) where someone compromised a machine, the camera is available for use.
Again, this little trick does NOT make any exploitation of the camera easier. There would still have to be some other compromise in which an attacker has already gained complete control of the machine to make any use of the camera. This plays off the fact that making something appear in a web page evokes notions of "Oh wow, since it's in a web page, it must have something to do with the internet" or "it might be vulnerable to a web or Safari exploit," neither of which are true.
If another vulnerability was used that allowed enough access to the machine to do something with the camera, they'd already necessarily have a level of access that would allow the attacker to do pretty much *anything* with the machine; embedding a Quartz Composer composition into a QuickTime movie and the fact that it can be embedded in a web page does not make such an exploit or attack any more or less easy, period.
Regards,
Dave Schroeder
das@doit.wisc.edu
http://das.doit.wisc.edu/
Anyway, all of the statements regarding its no threat disregard all of the cool things hackers and scammers can do with our computers. And sometimes I kinda feel people are patting themselves on the back with their posts.
One company sells software to capture the music feed from protected cds and convert that to a file. SnapZ Pro and other appls capture images from the screen.
If the video is there, its being stored somewhere in RAM or VM and so that can be read and processed.
My guess is that it is only time before someone does produce a program to capture the video and it is probably being done now. Oh, your cell phone with its camera is also a possibility.
Well, I know I will be wearing more clothes from now on... :)
I didn't even ready your last reply until I had already posted by previous one.
This is not an exploit, and won't be patched. It's a feature of Quartz Compositor and QuickTime, and no one "less honorable" can use this for anything.
The fact that it is a QuickTime movie that happens to display your local iSight to you within a web page is incidental and irrelevant. It does not make any kind of remote exploitation of your iSight easy, or even possible. If someone had a level of access to your machine that did allow exploitation of your iSight, they would already have control over your entire machine and would be able to do anything anyway.
This nifty little trick does NOT make such exploitation possible, or even easier, period. If anyone still thinks it does, or that it might, or that they're not sure, they simply do not understand the most basic elements of what is happening in this demonstration.
Dave Schroeder
das@doit.wisc.edu
http://das.doit.wisc.edu/
While this is all interesting, you're incorrect. This is no threat. This particular mechanism does not allow recording, by its very nature.
If someone had a level of access to your machine necessary to use your iSight surreptitiously, they already have control over your machine. This trick is just interesting to people because it makes them think it has something to do with the web or the network because it's in a web page. The only reason it's in a web page is because the QuickTime plugin can display QuickTime content in a browser. This is no different than playing a local movie on your hard drive in Safari. Does that mean your video can somehow be shared over the internet just because you're playing it in a browser? Nope.
This is one of those things, that if it gets critical mass, some irresponsible and incompetent journalist from a major media outlet will pick it up and run it with a really outrageous headline. This does NOT allow spying on you, does NOT allow anyone to use this remotely under any circumstances, and does NOT make any remote use of your camera in conjunction with an "exploit" easier. If someone used an exploit to gain any level of access to your system that would allow usage of the camera, they wouldn't be using a Quartz Composer movie in a web page (since that can't do anything at all). They'd be using custom code that archived or streamed or took stills or what have you from your camera, or they could use any number of other techniques to use and abuse your machine.
But *your machine would have to be exploited for this to occur*.
The fact that a Quartz Composer composition can be saved in a web page does *not make any such exploits easier in any way*.
I really wish people would get this straight.
Dave Schroeder
das@doit.wisc.edu
http://das.doit.wisc.edu/
Thank you for not calling me a moron!
Rich
Thanks for taking the time to clarify the fact that it is not an exploit or security risk in any way.
I think my friends who are JavaScript developers eliminated the ability to use client side code to take a screen shot and upload it somewhere.
After some investigation that was the only way i could think you would be insecure as the client side code could run a screenshot. I am not sure if that is even 100% eliminated as there are more people out there i would like to ask about this to see if maybe there is infact a way to do this with javaScript.
Is there anything built into apple that blacks out the video on a screen capture? If Apple does nothing about that and if it is possible to do a screenshot and upload with JavaScript then i do see a security risk there.
What are your thoughts on this method Dave?
If you feel it cannot be done please explain.
http://www.friday.com/bbum/2005/05/19/take-on-me-2
Does not work in Safari!
But Firefox render the page with picture!
You are correct that, if anything, this is a reminder that cameras without physical shutters, or the fact that cameras cannot be physically disabled or omitted in the latest iterations of Apple's products. It's also a reminder that if a machine were compromised, an attacker could potentially have control over the camera (as well as anything else), which could cause a variety of problems for secured environments (not to mention personal ones ;-).
But to be clear, this particular demonstration doesn't make such a compromise easier or possible. It merely serves as a reminder that such a compromise, in which an attacker had full remote control over the machine and could do anything with it anyway, could also use the camera.
Joseph,
As far as screenshots are concerned, a screenshot would still have to be taken, and then uploaded somewhere. Again, that is not possible unless it would be via some other mechanism of compromise. It's important to understand that this Quartz-Composer-in-QuickTime-embedded-in-a-web-page trick doesn't make any possible exploit that could take advantage of this easier.
Now, if there was some remote exploit where an attacker could take a screenshot of a web page and upload or capture it somewhere (which currently doesn't exist and I don't see how would be possible, but seems to be what a lot of people are saying), then, yes, this could be interesting. But the point is, some other MAJOR exploit is required to take advantage of this in any way. And if someone already had access to your machine in that way and wanted to use your camera, they're not going to trick you into going to a web page with a Quartz Composer movie in it - they're just going to use your camera. ;-)
The reason why this is "scary" is because you're seeing yourself on a "web page". But in reality all that's happening is you're seeing a QuickTime movie that happens to have an action to display a locally attached iSight that is embedded in a web page. There is no inherent security risk, real or perceived, from even turning on your iSight in this fashion. A security risk would imply and require that it could be used for something improper or without your knowledge, and it cannot.
Saying that it "turns on your iSight without your permission" is like saying that a web page is displaying text "without your permission." There is going to be this strong urge for people to say, "But...but...it's a *camera*! This *has* to be bad somehow!" But in reality, it's not. It's just a nifty trick with no security implications, which is why it's been around for so long, and even Apple itself has demonstrated how this could be done. It's the idea of seeing yourself unexpectedly on a "web page" that's startling.
Now, I will fully agree that iSights and Apple's integrated cameras should have physical shutters or the ability to be physically disabled and/or omitted completely from orders (particularly for government/military applications), but that is another issue altogether.
Also, using this trick to turn on someone's iSight might be a neat trick, but it's somewhat disconcerting. While it may be rude, as long as one understands the technical details of what is actually occurring, that's all that it is: rude. But definitely not a security risk.
Regards,
Dave Schroeder
das@doit.wisc.edu
http://das.doit.wisc.edu/
Thanks for explaining that.
Would be cool to have the possibility to take a snapshot so this trick could be use, for example, on user registration : user could add a picture to his account.
Just show the user face, then user click on "take a photo" then the photo is uploaded and added to his account , in his prefs.
Cool stuff !
http://funwithstuff.com/blog/2006/11/got-mac-in...
That wouldn't be possible since there's no way to use this remotely.
You could, however, instruct the person to take their own picture with their iSight (e.g., with Photobooth) or other camera and upload it...
There no special way to "use" this in the way you describe just because it happens to be in a web page. I want to make this clear, because if people think that what you describe is possible, then there are ways to abuse it. (See my previous messages.)
Dave Schroeder
das@doit.wisc.edu
http://das.doit.wisc.edu/
Except that's not what's happening, because that's not what this does. And if what you said were happening, it would be ridiculously easy to see outbound network connections being made, whether by wired, wireless, or any mechanism. That can't be hidden.
This trick CANNOT BE USED REMOTELY, BY ANYONE.
Dave Schroeder
das@doit.wisc.edu
http://das.doit.wisc.edu/
I'm looking for a way to show a small, borderless live video window to use in screencasting. The idea is to record the presenter while he is demonstrating software. Here is rough example:
http://mediacast.sun.com/share/lou/RSS_Demo.mov
Would you know how to do this without using a clunky Quicktime preview window?
Thanks
Honestly I would not be your best bet for advice here, maybe someone else who has commented on this post could help out.
Although it just looks to me like they are showing their video locally (could do it with iChat even) and screen casting it so that it is captured inline with what they are doing.
Perhaps the 10.4.9 update corrected this "security flaw"?