Web companies rush to plug serious cross-domain hole

A serious vulnerability has emerged that uses converted Adobe Shockwave Flash (SWF) files to exfiltrate data from browser sessions.

The obscure cross-scripting request forgery bug was detailed in a proof of concept by information security engineer Michele Spagnuolo, currently an employee of Google and based in Zürich, Switzerland.

According to Spagnulo, several high-profile sites were vulnerable, including most Google domains, Instagram, Tumblr and eBay.

Twitter was also vulnerable, but plugged the hole over the weekend.

@mikispag @twittersecurity yeah you kinda ruined our weekend tho :)

— Berk D. Demir (@bd) July 5, 2014

The proof of concept works by converting Adobe SFW files from a binary format into text-only or alphanumeric files. Attackers can then upload the "weaponised" SWF file to a domain, to be loaded by a victim's browser and executed by Adobe Flash Player.

Once running on vulnerable systems, the specially crafted SWF file can be used to request the exfiltration of sensitive data from the target site to a hacker's destination elsewhere.

Spagnuolo said the issue has been known to the security community, but until now, there has been no tools made public to generate ASCII or alphanumerical-only SWF files. 

Spagnuolo has created a tool called Rosetta Flash which is coded "to abuse JSONP" (Javascript Object Notation prefixes, an open source data interchange standard that is widely used on the web), but he noted that the vulnerability isn't limited to that protocol.

Rosetta Flash diagram. Source: Miki Spagnuolo

Insomnia Security researcher Adam Boileau analysed the cross-domain vulnerability for iTnews and descrived it as "pretty bad ass", compelling in that it is not application or target specific.

"This vulnerability is a great example of chaining together three or four different legitimate browser behaviours into a pretty serious bug," Boileau said.

"We've seen Flash used for cross domain attacks before, but this kind of "universal" cross domain weakness has the potential to really be abused. JSONP is fairly widely used, exposing users of dynamic web apps to account compromise. Mitigating this bug properly relies on Flash updates, which has never gone well.

"This type of vulnerability illustrates the complex - and brittle - relationships between components of the modern browser and web ecosystem."

The vulnerability has been reported to Google which has since managed to secured its sites.

Adobe also offered up a fix for the problem in the latest Flash Player version 14.0.0.145, released today.

Spagnuolo suggested website admins should avoid using JSONP on sensitive domains, and also use a dedicated sandbox domain whenever possible.