« Why Your Static Analysis Scanner Should Use String Analysis | Main | Babylon Cross-Application Scripting »

March 22, 2010

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d835130c5153ef0120a9695a8a970b

Listed below are links to weblogs that reference Cross-Site Scripting through Flash in Gmail Based Services:

Comments

Nils Hitze

Doesn't works with my Chrome but i will forward it to someone at Google that can maybe forward this to the Gmail Team. Thanks for finding it.

Yair Amit

Hello Nils,
In order to refrain from putting Gmail users under risk, this issue has been responsibly disclosed to Google. Therefore, this write-up was published only after the aforementioned security hole was fixed.

5up3rh3i@gmail.com

hi YairAmit

nice work!

this hole was fied now,can share the old version of
'uploaderapi2.swf' to me?

thank u

my gmail:5up3rh3i@gmail.com

cosine

it is a nice case.
my gtalk:evilcos#gmail.com

can u share the unfixed .swf file to me? thx:)

BigMc

Hi Yair Amit,

It's amazing ! I wonder how many mail, or other, Services has a similar problem...

Good luck,
BigMc.

Stefano

Hi Yair,
very nice finding and writeup!
It seems that this category of bugs is going to be more and more discovered.

Thanks for the reference, too! :)

Stefano

Yair Amit

@All, thanks for the feedback! :)

@Stefano, I agree that discoveries of this category of bugs will become more common, as the awareness to them rises.
However, after taking a look at some of the security changes that were applied by Adobe in ActionScript 3 (such as blocking the ability to implicitly use global parameters, a common programming error in AS2), it seems that they are in the right direction. :)

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Follow us on Twitter

AppScan Free Trial


Try IBM Security AppScan software at no charge.

Become a Fan