Linked by Kroc Camen on Wed 7th Apr 2010 08:19 UTC
Bugs & Viruses Via Ha.ckers.org, we get news of a cross-domain flaw using Flash or Silverlight content that allows the attacker to use the victim's browser as a proxy, including access to the user's session. Erlend Oftedal, the developer, explains how the system works and demonstrates the concept with a video. The flaw stems from developers lackadaisically allowing cross-domain requests from Flash across their whole domain (which obviously includes the user-account interactions); even Flickr and YouTube were culprits at one point.
Thread beginning with comment 417516
To read all comments associated with this story, please click here.
is Chrome vulnerable?
by project_2501 on Wed 7th Apr 2010 10:00 UTC
project_2501
Member since:
2006-03-20

Is Google Chrome vulnerable, given it takes additional security measures - sandboxing, code sniffing,lowered security token, prevention of file uploading without explicit user selection, etc.

Reply Score: 2

RE: is Chrome vulnerable?
by avih on Wed 7th Apr 2010 10:08 in reply to "is Chrome vulnerable?"
avih Member since:
2006-03-16

Basically, Yes. This attack can take place using any reasonable browser.

The vulnerability is not Chrome's. It's a server which is configured insecurely that facilitates it.

Edited 2010-04-07 10:10 UTC

Reply Parent Score: 1

RE[2]: is Chrome vulnerable?
by eoftedal on Wed 7th Apr 2010 21:12 in reply to "RE: is Chrome vulnerable?"
eoftedal Member since:
2010-04-07

Correct. I've tested it in Chrome, and as expected it works there as well

Reply Parent Score: 1