Linked by Kroc Camen on Wed 7th Apr 2010 08:19 UTC
Bugs & Viruses Via Ha.ckers.org, we get news of a cross-domain flaw using Flash or Silverlight content that allows the attacker to use the victim's browser as a proxy, including access to the user's session. Erlend Oftedal, the developer, explains how the system works and demonstrates the concept with a video. The flaw stems from developers lackadaisically allowing cross-domain requests from Flash across their whole domain (which obviously includes the user-account interactions); even Flickr and YouTube were culprits at one point.
Order by: Score:
is Chrome vulnerable?
by project_2501 on Wed 7th Apr 2010 10:00 UTC
project_2501
Member since:
2006-03-20

Is Google Chrome vulnerable, given it takes additional security measures - sandboxing, code sniffing,lowered security token, prevention of file uploading without explicit user selection, etc.

Reply Score: 2

RE: is Chrome vulnerable?
by avih on Wed 7th Apr 2010 10:08 UTC in reply to "is Chrome vulnerable?"
avih Member since:
2006-03-16

Basically, Yes. This attack can take place using any reasonable browser.

The vulnerability is not Chrome's. It's a server which is configured insecurely that facilitates it.

Edited 2010-04-07 10:10 UTC

Reply Score: 1

RE[2]: is Chrome vulnerable?
by eoftedal on Wed 7th Apr 2010 21:12 UTC in reply to "RE: is Chrome vulnerable?"
eoftedal Member since:
2010-04-07

Correct. I've tested it in Chrome, and as expected it works there as well

Reply Score: 1

Not news, or a flaw
by spookylukey on Wed 7th Apr 2010 10:57 UTC
spookylukey
Member since:
2010-04-07

crossdomain.xml files are a deliberate mechanism to remove the protection afforded by the Same Origin policy. If a developer creates one, they are deliberately removing or loosening a security measure.

This article is the equivalent of pointing out that removing locks from your doors is a bad idea, because it allows people to get in even if they don't have the keys. Of course that is true, but not worthy to be called either news or a flaw.

Reply Score: 2

RE: Not news, or a flaw
by Kroc on Wed 7th Apr 2010 11:10 UTC in reply to "Not news, or a flaw"
Kroc Member since:
2005-11-10

It’s a human flaw—but a flaw it still is. Hackers exploit all flaws, including human ones.

Reply Score: 3

RE[2]: Not news, or a flaw
by Laurence on Wed 7th Apr 2010 16:09 UTC in reply to "RE: Not news, or a flaw"
Laurence Member since:
2007-03-26

It’s a human flaw—but a flaw it still is. Hackers exploit all flaws, including human ones.


Very true.
Flamewars and personal opinions aside even I'd admit that most of the instances of malware on Windows is down to flawd humans.

In fact, I can think of at least one occasion when a computer has been set up properly (virus scanner et al) and the user /DISABLED/ the security apps because a porn site told him too!

Reply Score: 4

RE[2]: Not news, or a flaw
by dvhh on Thu 8th Apr 2010 01:26 UTC in reply to "RE: Not news, or a flaw"
dvhh Member since:
2006-03-20

As we already know, 98% of computer [security|software|etc...] problems usually stand between the screen and the chair.

Reply Score: 1