Adobe patches critical Flash flaw that can steal just about anything

large_7314418396Adobe has just issued a critical patch to fix a gaping security flaw in Flash that could affect users of dozens of popular websites, including eBay, Instagram, Tumblr and others.

The flaw, was discovered by security blogger Michele Spagnuolo and has allegedly been known about for some time, makes it possible for hackers to steal the cookies that authenticate returning users on thousands of websites using Flash.

“I present Rosetta Flash, a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site,” Spagnuolo wrote.

Rosetta Flash attacks have three components to them; the first involves something called a SWF file that can perform GET and POST requests to a web domain without any cross-domain checks. Spagnuolo says that attackers who upload SWF files onto vulnerable domains to “can make the victim perform requests that have side effects and exfiltrate sensitive data to an external, attacker-controlled domain”.

Once done, the attacker uses the second component, JSONP. According to Spagnuolo, this “allows an attacker to control the first bytes of the output of an endpoint by specifying the callback parameter in the request URL”. Normally, JSONP is restricted to just using alphabetic characters, and this is how the Rosetta Flash enables an attack with the SWF/JSONP combo.

Finally, the third component of the attack takes advantage of the fact that SWF files can be executed if they look like valid Flash files – in other words, a modified malicious file on the attacker’s domain can be the vector.

The key to all of this is Rosetta Flash (at Github), which takes the SWF files’ binary data, and maps all the non-alphabetic bytes to the alphabet. This allows malicious SWF files to be recognised and executed.

RELATED:  Google Chrome continues the slow death of Flash in favor of HTML5

Spagnuolo demonstrates how to do so in a proof-of-concept, getting SWF files verified as FlashVars in order to perform a GET request with the target’s cookie, then POST a variable with the exfiltrated data.

Most users will receive Adobe’s patch via their browsers (this is usually done automatically), but for those who don’t the update is available to download here. Google was notified privately by Spagnuolo and has already fixed its affected domains, while Tumblr has also been patched according to Ars Technica.

photo credit: Striking Photography by Bo Insogna via photopin cc

Mike Wheatley

Mike Wheatley is a senior staff writer at SiliconANGLE. He loves to write about Big Data and the Internet of Things, and explore how these technologies are evolving and helping businesses to become more agile.

Before joining SiliconANGLE, Mike was an editor at Argophilia Travel News, an occassional contributer to The Epoch Times, and has also dabbled in SEO and social media marketing. He usually bases himself in Bangkok, Thailand, though he can often be found roaming through the jungles or chilling on a beach.

Got a news story or tip? Email


Join our mailing list to receive the latest news and updates from our team.


Join our mailing list to receive the latest news and updates from our team.
Share This

Share This

Share this post with your friends!