Adobe Flash, the plug-in that refuses to die despite endless security issues, can chalk up yet another nasty problem. This one, as embodied in a proof-of-concept exploit by a security researcher, can access cookies in your browser set by other websites.
Spagnuolo claims such a security hole has been "a well known issue in the infosec community, but so far no public tools for generating arbitrary ASCII-only, or, even better, alphanum-only valid SWF files have been presented [until now]." The problem isn't with JSONP alone, since its whole function is to allow cross-domain communication in the first place.
Once presented with the proof of exploit, various sites have scrambled to patch their servers as a prevention measure. eBay, Tumblr, and Instagram have been able to make changes to their sites to thwart the attack, according to Ars Technica, but many other sites with JSONP endpoints, may well be vulnerable.
Adobe itself has responded in kind, providing an update for Flash Player that ought to fix the issue on the client side. But the notoriously slow cycle of user patching for Flash systems -- to say nothing of enterprise systems that are updated even less frequently -- means this exploit could still have plenty of time to do damage.
This story, "Better patch Flash: 'Rosetta Flash' attack can steal site cookies," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.