An Google engineer has come up with a tool to exploit various properties of Flash and JSONP, this flaw can be used to convert SWF file to a file composed of only alphanumeric characters in order to abuse JSONP endpoints, making a victim perform arbitrary requests to the domain with the vulnerable endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site. - source Michele Spagnuolo's blog. This issue has been intimated to Adobe and they have corrected it. This flaw has affected almost every major web giant like Google, Twitter, Youtube, ebay, instagram and tumblr.
It is said Google has fixed the vulnerability and Youtube has also had fixed, some of the high profile site like Twitter and Instagram are yet to fix the issue as of the time of this post. Adobe has pushed a update which has fixed the flaw. The Google engineer Michele Spagnuolo has uploaded the tool onto Github and he explains all about it in the blog post, all you security engineers out there will have a awesome time reading it. Michele had informed the major site and Adobe about the issue few days before he had published the blog post.
Also read : Were You Hacked On Pinterest
I understand you many not not the whole history of the vulnerability you just want to know how you can be safe from this problem well we will give you some tips here,
Web Users Guide To Safety :
1. Download and use the latest versions of the web browser that you are using.2. Always use the updated version of Flash(Adobe has released a new version to solve this issue.).
3. The most important always use a up to date anti-virus so that it will help your system to detect any threat and eliminate it.
Website owners Guide To Safety:
1. Please stop using JSONP in domains that contains sensitive information.
2. Start using Dedicated Sandbox domains where ever possible.
0 comments:
Post a Comment