The Dangers of Cross-Domain Ajax with Flash

Hey Chris,

[announcement type="public service"]

This (among other things) is one of the reasons that we really need a Free Software/Open Source Flash player.

Thankfully, Rob Savoye and crew are working on Gnash, a Free Software Flash player that includes a security manager.

Visit http://www.gnu.org/software/gnash/ to learn more.

You might want to chat with Rob a bit to learn more about the security implications of Flash movies - drop me a line and I will pass on his email address.

[/announcement]

Cheers!

--zak

Sun, 24 Sep 2006 at 19:16:39 GMT Link

Very interesting stuff!

Mon, 25 Sep 2006 at 18:58:00 GMT Link

Such a simple, yet potentially damaging vector. I am dismayed that so few people have bothered to Digg this.

Mon, 25 Sep 2006 at 23:52:09 GMT Link

Sadly, if Chris wanted attention, he should have disclosed this information before Flickr had a chance to fix the problem.

I'm glad he chose to wait.

Tue, 26 Sep 2006 at 01:04:57 GMT Link

I'm not sure you are right about this. the cross-domain file alows flash to read files from remote servers, this has nothing to do with writing files or making calls to that domain. You us a cross-domain file in a web service so that flash can read it's xml files. I'm not sure about how "there is no limit to what an attacker can do". I could be wrong about this but I wont disagree that it is a good thing to separate your webservices domain from your public site.

Thu, 28 Sep 2006 at 14:41:58 GMT Link

could you explain to me again what is possible that is not with normal HTTP, when you use a crossdomain.xml allowing full access from anywhere ?

I seem unable to grasp the concept, and the whole 'crossdomain.xml' thing seems only based on control

over the player, which can only be assumed by making user NO OTHER PLAYER then the uncorrupted MM one exists.

Mon, 20 Nov 2006 at 15:46:52 GMT Link

This does not stop security issues you can do the same things with HTTP api calls. The security lies in the API and the trust apps them selves. These large services if they want to, can open up API's for people to make mashups.

Shutting down the crossdomain.xml doesn't change the "I knew I could make any user of Flickr perform any action of my choosing. As a user of Flickr, I knew I could easily be the victim in such a scenario."

You could do the same thing with a scripting language based app that would do the same thing. These are open API's by Flickr so people can build apps on top of their service.

Wed, 13 Dec 2006 at 19:09:20 GMT Link

I think I was still confused with my first statement. I am trying to put it all together. It finally hit me that I was meshing the API and the normal main site token authentication together.

"If you have a public API and want to allow cross-domain Ajax requests with Flash, be sure to use a separate domain. If the user interface and API operate in the same domain, there's almost no limit to what an attacker can do."

That helped clear it up.

Wed, 13 Dec 2006 at 21:50:33 GMT Link

Note sure if this is already obvious to everyone, but it seems that "PowerSDK Software Corp." has registered the domain "http://www.crossdomainxml.org/". I sure hope that Yahoo and Flickr (Google too?) will keep their sites open for external developers. Cross domain access is truely useful when the "big sites" opt in. I just hope we don't lose it. Will it be possible for crossdomainxml.org to be kept up to date with policy file location information and status?

Sat, 30 Dec 2006 at 14:32:01 GMT Link