The flaw, was discovered by security blogger Michele Spagnuolo and has allegedly been known about for some time, makes it possible for hackers to steal the cookies that authenticate returning users on thousands of websites using Flash.
“I present Rosetta Flash, a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site,” Spagnuolo wrote.
Rosetta Flash attacks have three components to them; the first involves something called a SWF file that can perform GET and POST requests to a web domain without any cross-domain checks. Spagnuolo says that attackers who upload SWF files onto vulnerable domains to “can make the victim perform requests that have side effects and exfiltrate sensitive data to an external, attacker-controlled domain”.
Once done, the attacker uses the second component, JSONP. According to Spagnuolo, this “allows an attacker to control the first bytes of the output of an endpoint by specifying the callback parameter in the request URL”. Normally, JSONP is restricted to just using alphabetic characters, and this is how the Rosetta Flash enables an attack with the SWF/JSONP combo.
Finally, the third component of the attack takes advantage of the fact that SWF files can be executed if they look like valid Flash files – in other words, a modified malicious file on the attacker’s domain can be the vector.
The key to all of this is Rosetta Flash (at Github), which takes the SWF files’ binary data, and maps all the non-alphabetic bytes to the alphabet. This allows malicious SWF files to be recognised and executed.
Spagnuolo demonstrates how to do so in a proof-of-concept, getting SWF files verified as FlashVars in order to perform a GET request with the target’s cookie, then POST a variable with the exfiltrated data.
Most users will receive Adobe’s patch via their browsers (this is usually done automatically), but for those who don’t the update is available to download here. Google was notified privately by Spagnuolo and has already fixed its affected domains, while Tumblr has also been patched according to Ars Technica.