Say What, Flash is More Secure Than HTML5?!

So my favorite script kiddy and copycat, Feross (copied, note the shameless “I discovered” in his Quora post, LoL)
Found a social engineering flaw in the HTML5 fullscreen mode that can be used for phishing attacks. This time it might be even his own finding… what do you know 😉

This flaw is very much similar to the well known and very old picture-in-picture
Picture-in-Picture Phishing Attacks and Operating System Styles
More info..
IMHO the old version is still way more dangers for phishing.

So How Flash is more secure?

What enables this HTML5 fullscreen flaw to exist in his prime is the fact you have full keyboard access. This way an attacker can more easily steal the user’s credentials.
After all fullscreen was existant in Flash for many years now, yet it was never compromised this way. The main reason is that Flash is more secure is that it does not allow full keyboard interaction in fullscreen.

Good thinking Adobe, taking care our security… oh wait… Flash was added with this feature with version 11.3… after all Flash can’t be left behind…
Working demo…

Damn… but still Flash gives you a decent popup confirmation which HTML5 doesn’t

Yeah, I know Chrome give you a popup too, but you don’t have to click on it to get FULL keyboard access.
I constructed this “amazing” demo here (chrome only), as you can see you get the message but the keyboard is fully functional and accessible through javascript.

So still Flash is more secure than HTML5 – in that respect.

It takes us back to what me and other were preaching about, that with great power comes great responsibility.
HTML5 have its own flaws and the more powerful it’ll become it will get even more.

Stay tuned…

  • Let’s get one thing straight: I didn’t copy your attack. I discovered a new attack.

    If I merely copied you, then why did Adobe post about fixing a new clickjacking attack in October 2011? (

    Your attack iframed the entire Adobe settings webpage, which Adobe fixed by adding framebusting code to the page.

    My attack, on the other hand, worked by iframing the settings manager .SWF file directly, bypassing the framebusting code on the settings page.

    That being said, the attacks are certainly similar. If you read my blog post (, I mentioned that my demo builds heavily off of your ideas and work, as well as including a link to your original post. I think I made it pretty clear that I was building off of your work, and that what I discovered is a new attack that needed to be fixed.

    It’s pretty disingenuous of you to say that I merely copied you.

  • Pingback: Say What, Flash is More Secure Than HTML5?! | GUYA.NET « eaflash()

  • guya

    Copycats don’t die they just disappear:

    You copied my code and some of my binaries as is, change some of the colors and some variable names and posted it as your own. Your code in github has my own files!

    You copied the code and the EXACT same concept, your all finding can be summed as “Look, Adobe hasn’t fully patched this old Webcam Clickjacking attack”

    So it’s either you are ignorant or just a liar.
    This is not a “based on” this is a copy with a slight alteration, more like version 1.0.1

    Beside, doing exactly what you did was already known back than, as I noted before: