Yes, bad guys can definitely access your webcam.
At this very moment, your operating system and browser have multiple security vulnerabilities that would allow an attacker to access your webcam. It is impossible for software vendors to identify and fix all the security bugs in their software. So, there are certainly many nasty bugs that they don’t know about.
Don’t believe me? Here’s a real-world example.
In October 2011, I discovered a vulnerability in Adobe Flash that allows any website to turn on your webcam and microphone without your knowledge or consent to spy on you.
This attack works by using a neat variation of the normal clickjacking technique that spammers and other bad people are using in the wild right now. For the uninitiated, here’s some background information from Wikipedia:
Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
Combine clickjacking with the Flash Player Setting Manager page and you have a recipe for some sad times.
I reported the vulnerability to Adobe through the Stanford Security Lab, but they didn’t respond for a few weeks, so I decided to post about it on my blog. It made headlines in CNET, Wired, The Register, Ars Technica, Gizmodo, etc. and so Adobe was forced to quickly fix it (which they did in less than 2 days). You can read the full explanation on my blog here.
Keep in mind: I discovered this vulnerability in just a few hours, while procrastinating on studying for my final exams. That means I had no profit motive (I did this because I was curious) and limited resources (I just viewed the source code of Adobe’s website).
Therefore, people with more resources and more to gain (like criminals and national government agencies) certainly know about similar or better vulnerabilities.
I used to think that people who put tape over their webcams were just paranoid or weird. After I discovered this vulnerability, that changed. Now I use the tape trick as well.