Poor Flash programming responsible

Jan 23, 2010 12:15 GMT  ·  By

A security researcher used a vulnerability in Twitter's Flash widget in order to demonstrate how an account on the micro-blogging platform can be hijacked. The flaw apparently stems from a rookie programming mistake, widely known since 2006.

"We’ve been notified about a vulnerability in our Flash widget and out of an abundance of caution we’ve disabled access as we assess the situation," Twitter's staff announced yesterday. This widget was used by users to display tweets on their own websites using Flash.

Mike Bailey, a senior security analyst at Foreground Security, and the one who reported this flaw to Twitter, has been busy researching Flash-based attacks and security issues in recent months. Back in November 2009, he got into an argument with Adobe over the efficiency of Flash's Same Origin Policy.

Mr. Bailey has not disclosed any details about the vulnerability yet, because he is scheduled to give a presentation on the subject at the upcoming Black Hat 2010 security conference in Washington. Entitled "Neat, New, and Ridiculous Flash Hacks," his talk will discuss "new flash-based attacks, repurposing of old attacks, and demonstrations of working (and sometimes ridiculously complex) attacks on Gmail, Twitter, and other major websites."

Bailey demonstrated how it is possible to force a Twitter user to post a predefined tweet when visiting a link to a specially crafted XML file. His proof-of-concept attack used a dummy account, but the researcher commented for The Register that "In reality, I have full access to everything your Twitter account has on the web. I can think of a million ways to use this as an attacker."

The vulnerability used in this attack dates back to 2006 and Adobe has already instructed programmers on how to avoid it. However, many of them failed to follow these recommendations and now, thousands of websites, including many high-profile ones, are riddled with buggy Flash files.