Better patch Flash: 'Rosetta Flash' attack can steal site cookies

A new proof-of-concept attack exploits a bug in Adobe Flash that allows stealing of user credentials across websites

Adobe Flash, the plug-in that refuses to die despite endless security issues, can chalk up yet another nasty problem. This one, as embodied in a proof-of-concept exploit by a security researcher, can access cookies in your browser set by other websites.

The proof of concept, entitled "Rosetta Flash" and detailed in a blog post by Google security engineer Michele Spagnuolo, makes use of a way originally devised to allow JavaScript apps in a page to communicate across domains.

First, a hostile Flash application is converted into an ASCII-only embedded object. This encoded version of the app then passes itself to the JSONP endpoint of a given website, a common feature that allows JavaScript to communicate with sites on different domains. The passed app is then executed as a callback -- a program to be run on the client in the browser, but under that endpoint's domain. Any cookies placed by that site can then be harvested by the hostile Flash app and passed along to an attacker's domain.

Spagnuolo claims such a security hole has been "a well known issue in the infosec community, but so far no public tools for generating arbitrary ASCII-only, or, even better, alphanum-only valid SWF files have been presented [until now]." The problem isn't with JSONP alone, since its whole function is to allow cross-domain communication in the first place.

Once presented with the proof of exploit, various sites have scrambled to patch their servers as a prevention measure. eBay, Tumblr, and Instagram have been able to make changes to their sites to thwart the attack, according to Ars Technica, but many other sites with JSONP endpoints, may well be vulnerable.

Adobe itself has responded in kind, providing an update for Flash Player that ought to fix the issue on the client side. But the notoriously slow cycle of user patching for Flash systems -- to say nothing of enterprise systems that are updated even less frequently -- means this exploit could still have plenty of time to do damage.

This story, "Better patch Flash: 'Rosetta Flash' attack can steal site cookies," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.