Background
I recently discovered a cross-site scripting through Flash issue in Gmail. Not only did it expose Gmail users to full account hijacking, but it also exposed corporate users that rely on Gmail through the Google Apps initiative.
Technical Details
Gmail uses a Flash movie, named uploaderapi2.swf, for file upload operations. A short investigation revealed that it used two user-input parameters (‘apiInit’ and ‘apiId’) as parameters to ExternalInterface.call(), a class that is used for interaction between Actionscript and the flash player container (a hosting HTML page in the case of browsers).
var flashParams:* = LoaderInfo(this.root.loaderInfo).parameters;
API_ID = "apiId" in flashParams ? (String(flashParams.apiId)) : ("");
API_INIT = "apiInit" in flashParams ? (String(flashParams.apiInit)) :
("onUploaderApiReady");
.
..
...
if (ExternalInterface.available) {
ExternalInterface.call(API_INIT, API_ID);
}
A snippet from uploaderapi2.swf
Continue reading "Cross-Site Scripting through Flash in Gmail Based Services" »
