Flash security
Moderator: General Moderators
Flash security
What exactly can be done with hidden Flash nowadays? I read something about clickjacking, inserting a hidden flash movie and overlaying it on the (hacked/malicious) site and with that having people click on things they don't want.
What are the current trends in this regard and what can you do to prevent it?
What are the current trends in this regard and what can you do to prevent it?
Re: Flash security
Don't install flash 
I personally only installed it for internet explorer. If I want to watch a video or something I'll use that. But for normal browsing with Firefox (
) I'm safe. Plus I don't get them adverts for "smileys" that talk and stuff. They are most annoying.
I personally only installed it for internet explorer. If I want to watch a video or something I'll use that. But for normal browsing with Firefox (
Re: Flash security
you are brilliantjackpf wrote:Don't install flash
I know I can also use noScript plugin to block any javascript/flash on sites. Very practical is it not
But my question was more general. I believe I'm reasonable safe (on mac, using ff, no strange sites), so my interest is more about the general techniques and dangers, what browser makers do to prevent problems, what users can do, etc
Re: Flash security
Lol I know, I seem to have a habit of replying with stupidly obvious answers to your intricate questions... sorry 
In response to what do the browser makers do...you know the "Visiting this site may harm your computer..." warning message? Isn't that a response to a website downloading content from blacklisted site?
So say there's site A and site B. Site A is a good site, and site B is a hacker's site. Site B hacks site A, and links to his dodgy flash program which steals cookies. But site B gets found out and blacklisted. Because site A downloads data from blacklisted site B, people get the "Visiting this site may harm your computer..." warning when visiting site A.
Anyway, that seems pretty clever. I can't really think of anything else browsers can do. I mean...how can they differentiate between "good" and "bad" flash?
I may be completely wrong...I just thought I'd try and contribute something a bit more relative this time
Sorry once again,
Jack.
In response to what do the browser makers do...you know the "Visiting this site may harm your computer..." warning message? Isn't that a response to a website downloading content from blacklisted site?
So say there's site A and site B. Site A is a good site, and site B is a hacker's site. Site B hacks site A, and links to his dodgy flash program which steals cookies. But site B gets found out and blacklisted. Because site A downloads data from blacklisted site B, people get the "Visiting this site may harm your computer..." warning when visiting site A.
Anyway, that seems pretty clever. I can't really think of anything else browsers can do. I mean...how can they differentiate between "good" and "bad" flash?
I may be completely wrong...I just thought I'd try and contribute something a bit more relative this time
Sorry once again,
Jack.
Re: Flash security
No problem 
I have never seen the warning "Visiting this site may harm your computer...". In which browser/system is that?
What I was thinking: would it not be better if a browser prevents site A from loading any content from site B? Unless you explicitly allow it
I know there are many legitimate reasons to load content from other sites, but still. Would be a pretty good improvement I think.
I have never seen the warning "Visiting this site may harm your computer...". In which browser/system is that?
What I was thinking: would it not be better if a browser prevents site A from loading any content from site B? Unless you explicitly allow it
I know there are many legitimate reasons to load content from other sites, but still. Would be a pretty good improvement I think.
Re: Flash security
Actually, I think it's google that does that. I always thought it was the browser...my bad.
I suppose you could do that. Although I'm sure it'd get pretty annoying after a while...
Maybe you could have a whitelist of websites, so you don't get prompted for websites you trust.
This could probably be done with a firefox extension.
Say...when a new page loads, do a regex search on the page for sources and links to domain names that don't match the page's. Then you can remove the source, and replace it with a message or something...prompting the user to click it to allow the content to be downloaded. When the user clicks, change the source back so the browser can download it.
That's probably a bit beyond me tbh...but I'm sure it's possible. Maybe a suggestion to the Mozilla developers?
I suppose you could do that. Although I'm sure it'd get pretty annoying after a while...
Maybe you could have a whitelist of websites, so you don't get prompted for websites you trust.
This could probably be done with a firefox extension.
Say...when a new page loads, do a regex search on the page for sources and links to domain names that don't match the page's. Then you can remove the source, and replace it with a message or something...prompting the user to click it to allow the content to be downloaded. When the user clicks, change the source back so the browser can download it.
That's probably a bit beyond me tbh...but I'm sure it's possible. Maybe a suggestion to the Mozilla developers?
- JAB Creations
- DevNet Resident
- Posts: 2341
- Joined: Thu Jan 13, 2005 6:44 pm
- Location: Sarasota Florida
- Contact:
Re: Flash security
Firefox + Adblock Plus + Subscription = no more advertising. I maintain an adblock subscription list myself. Noscript is way over-kill...I think useful script blocking would block third-party website scripts from loading though many sites rely on "API's" hosted elsewhere which I think is pretty lame considering if the third party breaks something then you're up a creek without a paddle. Boy the things people do on the interwebs! 
As far as Flash being a security threat...I mean...what kind of websites are you guys visiting? Just kidding...but if I ever think something looks potentially shady I disable JavaScript and meta redirects with the Web Developer toolbar for Firefox. I always have Java disabled but I've never had a problem with Flash. When opening SWF's in the standalone Flash player it always asks if it's ok to allow the Flash file to open a website so if it can redirect to a third party I'm not entirely sure...though I think it would be possible.
Why not just create a white list of allowed sites to load Flash?
As far as Flash being a security threat...I mean...what kind of websites are you guys visiting? Just kidding...but if I ever think something looks potentially shady I disable JavaScript and meta redirects with the Web Developer toolbar for Firefox. I always have Java disabled but I've never had a problem with Flash. When opening SWF's in the standalone Flash player it always asks if it's ok to allow the Flash file to open a website so if it can redirect to a third party I'm not entirely sure...though I think it would be possible.
Why not just create a white list of allowed sites to load Flash?
Re: Flash security
Interesting. I have never seen that. I guess Google is in a good position to do that, as it's able to scan all sites and see what's on it.jackpf wrote:Actually, I think it's google that does that. I always thought it was the browser...my bad.
Having thought about it some more, I think that it's not practical to block all content loaded from other sites. Every webstat application, every advertisement system, every embedded movie, etc relies on the fact that it is possible.
However, I still think that in theory it would make surfing a lot safer.
Well that is the thing: you don't have to visit suspicious sites to be vulnerable. A couple of days ago I followed a link from the wordpress.org site to the website of a plugin. Just a regular developer's weblog. And on that site I found a weird transparent Flash overlay, injected at the bottom of the source. Probably clicking anywhere on that site would have done something. I couldn't find out exactly what was going on, but my guess is that that site was hacked and the flash was injected. Just like the hidden iFrame hacks you see.JAB Creations wrote:As far as Flash being a security threat...I mean...what kind of websites are you guys visiting? Just kidding...but if I ever think something looks potentially shady I disable JavaScript and meta redirects with the Web Developer toolbar for Firefox.
Re: Flash security
browsers do use google's database for this, but the browser is the one that displays the messagejackpf wrote:Actually, I think it's google that does that. I always thought it was the browser...my bad.
Re: Flash security
Oh right, cool. I couldn't find a straight answer on the web. Nice one 
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: Flash security
Flash can't do anything to your computer. The extent of it's capabilities is to place a Flash Cookie on your computer. That's what the Betterprivacy Plugin is for: it erases them.
I don't like to be tracked. When I discovered that Google owns something like 54% of all adds online, and that they put an ID cookie on you, disabled cookies, and installed Adblock. It's creepy. I read through the Google-Watch.org site, and stopped using Google everything. Now, I'm not one to just get carried away in some sort of conspiracy theory, but the information presented was valid and convincing.
I don't like to be tracked. When I discovered that Google owns something like 54% of all adds online, and that they put an ID cookie on you, disabled cookies, and installed Adblock. It's creepy. I read through the Google-Watch.org site, and stopped using Google everything. Now, I'm not one to just get carried away in some sort of conspiracy theory, but the information presented was valid and convincing.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Flash security
As a developer or as a web surfer?matthijs wrote:what can you do to prevent it?
This is totally non-PHP specific. Click-jacking is an issue with web browsers, so, as a web surfer you should stick with the latest versions of modern browsers. Every single web browser has open vulnerabilities, though. NoScript will definitely rise your level of security, but I find NoScript often irritating.
The most important thing to do is to keep Java and Flash up-to-date.
As a web developer, you can use frame breakers to prevent Click-jacking, but this is not really your job.
Re: Flash security
Theoretically nothing javascript can already do. It prompts the user if you try to tap into webcam or anything like that, plain HTML / javascript can try to print documents,
Heres an example of where you can run into trouble, on newgrounds.com users can uplaod their own flash content, there is a voting system to rate flash games and videos, the .swf is served on the same domain as the rating script. Authors simply wrote .swf files to make an http request from the user's account to rate 5/5, etc... ( the loadMovie command for instance is for loading swf and jpg files but could load anything, likewise there are xml functions etc.. ).
Then again all of this can already be done if you allow any kind of javascript. The difference is with flash you can get an alternate domain like mydomain.com and mydomainmedia.com, serve your user uploaded .swf content off the 2nd domain put your scripts on the first
newgrounds uses uploads.ungrounded.net/
Heres an example of where you can run into trouble, on newgrounds.com users can uplaod their own flash content, there is a voting system to rate flash games and videos, the .swf is served on the same domain as the rating script. Authors simply wrote .swf files to make an http request from the user's account to rate 5/5, etc... ( the loadMovie command for instance is for loading swf and jpg files but could load anything, likewise there are xml functions etc.. ).
Then again all of this can already be done if you allow any kind of javascript. The difference is with flash you can get an alternate domain like mydomain.com and mydomainmedia.com, serve your user uploaded .swf content off the 2nd domain put your scripts on the first
newgrounds uses uploads.ungrounded.net/