“Weaponized” exploit can steal sensitive user data on eBay, Tumblr, et al.July 8, 2014 – 4:22 PM
A serious attack involving a widely used Web communication format is exposing millions of end users’ authentication credentials on sites including eBay, Tumblr, and Instagram, a well-respected security researcher said Tuesday.
The exploit—which stems from the ease of embedding malicious commands into Adobe Flash files before they’re executed—has been largely mitigated by a Flash security update Adobe released Tuesday morning to coincide with a technical analysis of the threat, including proof-of-concept exploit code. It will take days or weeks for a meaningful percentage of end users to install the fix, so the researcher who wrote the advisory is warning engineers at large websites to make server-side changes that will minimize the damage attackers can inflict on visitors. eBay, Tumblr, Instagram, and Olark are known to be vulnerable to attacks that can intercept authentication cookies or other data they send end users. Until recently, both Twitter and a wide range of Google services were also susceptible to the exploit. The common identifier assigned to the exploit is CVE-2014-4671.
The attack relies on behavior that has existed for years that allows the binary contents of a common shockwave file—a throwback term for Flash files that’s better known simply as SWF—to be converted into an equivalent file based solely on alphanumeric characters. The conversion typically happens to compress a SWF file so it works with websites that use a technique known as JSONP—or JSON with padding—to set browser cookies and perform other tasks.
A new proof-of-concept tool dubbed Rosetta Flash uses a creative combination of encoding algorithms to construct character-only representations of SWF files that contain malicious commands. Among other things, malicious SWF files spawned by the tool can use the visitor’s Flash application to send Web requests that can access authentication cookies and other files set by other websites that use JSONP. This exfiltration works as a result of Flash being able to bypass the Same Origin Policy, which is in place to stop these kinds of cross domain requests. As a result, a malicious website hosting a booby-trapped SWF file could use authentication cookies that were previously set by eBay and other vulnerable sites to make authenticated data requests on behalf of the person visiting the attack site.