17-year-old Iraqi security researcher Abdullah Hussam has identified a cross-site scripting (XSS) vulnerability in a Scalable Inman Flash Replacement (sIFR) implementation that’s used on many high-profile websites.
The list of impacted websites includes the ones of Adobe, MasterCard, Visa, American Express, Amazon, BlackBerry and a number of US universities.
The XSS vulnerability exists in the sIRF tool’s swf file. Hussam tells me that Adobe has addressed the issue, and so have other companies, but there are still many websites that run a vulnerable version.
Adobe, which fixed the flaw around four months after Hussam reported it, has added the researcher’s name to the company’s “Acknowledgments” page.
The expert has published a video to demonstrate his findings. Check it out.