He added that a vulnerable endpoint could be forced to perform arbitrary requests to the vulnerable domain and lose data to an attacker-controlled site.
On sites that accept SWF uploads, an attacker could use the tool to convert a malicious SWF file so that it can be passed as a JSONP callback and then reflected by the endpoint, Spagnuolo said in a blogpost. Spagnuolo’s tool called Rosetta Flash converts binary SWF files into a file made up of just alpha numeric characters. Google, Youtube and Twitter have already fixed the problem on their ends. Popular websites such as Instagram, eBay, Tumblr and others using JSON with Padding or JSONP remain vulnerable to an exploit tool released today as a proof of concept against a vulnerability in Adobe Flash Player.Īdobe today released an updated version of Flash that patches the vulnerability discovered and reported by Google engineer Michele Spagnuolo.
0 kommentar(er)
