Adobe patches critical Flash flaw that can steal just about anything
Adobe has just issued a critical patch to fix a gaping security flaw in Flash that could affect users of dozens of popular websites, including eBay, Instagram, Tumblr and others.
The flaw, was discovered by security blogger Michele Spagnuolo and has allegedly been known about for some time, makes it possible for hackers to steal the cookies that authenticate returning users on thousands of websites using Flash.
“I present Rosetta Flash, a tool for converting any SWF file to one composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site,” Spagnuolo wrote.
Rosetta Flash attacks have three components to them; the first involves something called a SWF file that can perform GET and POST requests to a web domain without any cross-domain checks. Spagnuolo says that attackers who upload SWF files onto vulnerable domains to “can make the victim perform requests that have side effects and exfiltrate sensitive data to an external, attacker-controlled domain”.
Once done, the attacker uses the second component, JSONP. According to Spagnuolo, this “allows an attacker to control the first bytes of the output of an endpoint by specifying the callback parameter in the request URL”. Normally, JSONP is restricted to just using alphabetic characters, and this is how the Rosetta Flash enables an attack with the SWF/JSONP combo.
Finally, the third component of the attack takes advantage of the fact that SWF files can be executed if they look like valid Flash files – in other words, a modified malicious file on the attacker’s domain can be the vector.
The key to all of this is Rosetta Flash (at Github), which takes the SWF files’ binary data, and maps all the non-alphabetic bytes to the alphabet. This allows malicious SWF files to be recognised and executed.
Spagnuolo demonstrates how to do so in a proof-of-concept, getting SWF files verified as FlashVars in order to perform a GET request with the target’s cookie, then POST a variable with the exfiltrated data.
Most users will receive Adobe’s patch via their browsers (this is usually done automatically), but for those who don’t the update is available to download here. Google was notified privately by Spagnuolo and has already fixed its affected domains, while Tumblr has also been patched according to Ars Technica.
photo credit: Striking Photography by Bo Insogna via photopin cc
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU