Not all popular websites have proceeded to mitigate the risk
The latest update for Adobe Flash Player removes a security vulnerability, which could be leveraged to abuse JSONP endpoints by making a victim run arbitrary requests to high-profile exposed domains, accounts/books/maps.google.com among them, and leak sensitive data.This could be done by using Rosetta Flash, a tool that converts a Flash file, which is binary, into one composed of just alphanumeric characters, making its interception more difficult. The utility achieves this by returning an equivalent compressed with Zlib.
Google security researcher Michele Spagnuolo, presented the Rosetta Flash technology in a blog post and details how it works.
He also provides the three factors that need to be taken into consideration in order to understand the attack scenario.
First of all, since SWF files can perform GET and POST requests to the domain that hosts it via local shared objects, uploading a crafted SWF offers the attacker the opportunity to make the victim perform requests not limited to JSONP responses.
Second, JSONP “allows an attacker to control the first bytes of the output of an endpoint by specifying the callback parameter in the request URL,” and most JSONP endpoints callbacks impose a mainly alphanumeric restriction; and this is exactly what Rosetta Tool takes advantage of.
Third, “SWF files can be embedded on an attacker-controlled domain using a Content-Type forcing <object> tag, and will be executed as Flash as long as the content looks like a valid Flash file,” writes Spagnuolo in the blog post.
The researcher says that many popular domains are vulnerable to the exploit, Twitter, Instagram, Tumblr and eBay being among them. All of them have been informed of the risk and some have taken the necessary measures to fix the glitch, including Twitter, whose engineers worked it out over the weekend.
He also informed Adobe of the flaw, and the engineers wasted no time in providing an improved version of Flash Player that removes the exploitation risk.
According to Spagnuolo, “This is a well known issue in the infosec community, but so far no public tools for generating arbitrary ASCII-only, or, even better, alphanum only, valid SWF files have been presented. This led websites owners and even big players in the industry to postpone any mitigation until a credible proof of concept was provided.”
The researcher is scheduled to present the vulnerability at Hack In the Box: Malaysia in October, this year.
All users are advised to update to the latest version of Flash Player. Adobe’s browser plug-in is automatically updated in Google Chrome, Internet Explorer 10 and 11 thanks to the auto update mechanism included in the products; in some cases a browser restart is required for the update to complete.
Users that do not receive the update automatically are advised to install it manually as soon as possible in order to eliminate security risks.