sIFR Vulnerability Impacts Adobe, BlackBerry, Visa, Amazon and Other Sites – Video

Adobe has fixed the issue and added to researcher's name to the "acknowledgements" page

 
17-year-old Iraqi security researcher Abdullah Hussam has identified a cross-site scripting (XSS) vulnerability in a Scalable Inman Flash Replacement (sIFR) implementation that’s used on many high-profile websites.

17-year-old Iraqi security researcher Abdullah Hussam has identified a cross-site scripting (XSS) vulnerability in a Scalable Inman Flash Replacement (sIFR) implementation that’s used on many high-profile websites.

The list of impacted websites includes the ones of Adobe, MasterCard, Visa, American Express, Amazon, BlackBerry and a number of US universities.

The XSS vulnerability exists in the sIRF tool’s swf file. Hussam tells me that Adobe has addressed the issue, and so have other companies, but there are still many websites that run a vulnerable version.

Adobe, which fixed the flaw around four months after Hussam reported it, has added the researcher’s name to the company’s “Acknowledgments” page.

sIFR is a JavaScript snippet that uses Flash to replace text with non-standard web fonts.

The expert has published a video to demonstrate his findings. Check it out.

Comments