« Why Your Static Analysis Scanner Should Use String Analysis | Main | Babylon Cross-Application Scripting »

March 22, 2010


Nils Hitze

Doesn't works with my Chrome but i will forward it to someone at Google that can maybe forward this to the Gmail Team. Thanks for finding it.

Yair Amit

Hello Nils,
In order to refrain from putting Gmail users under risk, this issue has been responsibly disclosed to Google. Therefore, this write-up was published only after the aforementioned security hole was fixed.


hi YairAmit

nice work!

this hole was fied now,can share the old version of
'uploaderapi2.swf' to me?

thank u

my gmail:5up3rh3i@gmail.com


it is a nice case.
my gtalk:evilcos#gmail.com

can u share the unfixed .swf file to me? thx:)


Hi Yair Amit,

It's amazing ! I wonder how many mail, or other, Services has a similar problem...

Good luck,


Hi Yair,
very nice finding and writeup!
It seems that this category of bugs is going to be more and more discovered.

Thanks for the reference, too! :)


Yair Amit

@All, thanks for the feedback! :)

@Stefano, I agree that discoveries of this category of bugs will become more common, as the awareness to them rises.
However, after taking a look at some of the security changes that were applied by Adobe in ActionScript 3 (such as blocking the ability to implicitly use global parameters, a common programming error in AS2), it seems that they are in the right direction. :)

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Your Information

(Name is required. Email address will not be displayed with the comment.)

Follow us on Twitter

AppScan Free Trial

Try IBM Security AppScan software at no charge.

Become a Fan