Black Hat : Blinded by Flash security
WASHINGTON DC -- Adobe's Flash format is everywhere on the web, but be warned : Flash files could potentially be carriers of security exploits.
At least that's the allegation of HP security researcher Prajakta Jagdale who today talked about Flash security in a session at Black Hat DC. There are a number of different types of vulnerabilites that could affect Flash including information disclosure and cross site scripting issues. Though ultimately Jagdale argued that it comes down to proper coding and validation to secure Flash.
On the low hanging fruit side, Jagdale noted that some Flash developers hardcode username and password information into files. A simple Google search with the search query "Filetype:swf inurl:login " was used by Jagdale to show how easy it is to identify vulnerable flash sites.
Additionally she noted that Flash allows for text boxes that could have HTML values - as such HTML injection could lead to exploit.
"You always need to validate inputs," Jagdale said.
Again she did a basic Google search to try and find potentially vulnerable Flash sites for HTML injection. She used the query "filetype:swf inurl:clickTag". When she did the search she claimed that she got at least 200 results of which in her analysis 120 were found to be vulnerable to XSS.
Jagdale advised that in addition to input validation developers should use SSL and should avoid storing sensitive information in the Flash application.