This flaw is very much similar to the well known and very old picture-in-picture More info.. IMHO the old version is still way more dangers for phishing.
So How Flash is more secure?
What enables this HTML5 fullscreen flaw to exist in his prime is the fact you have full keyboard access. This way an attacker can more easily steal the user’s credentials.
After all fullscreen was existant in Flash for many years now, yet it was never compromised this way. The main reason is that Flash is more secure is that it does not allow full keyboard interaction in fullscreen.
Good thinking Adobe, taking care our security… oh wait… Flash was added with this feature with version 11.3… after all Flash can’t be left behind… Working demo…
Damn… but still Flash gives you a decent popup confirmation which HTML5 doesn’t
So still Flash is more secure than HTML5 – in that respect.
It takes us back to what me and other were preaching about, that with great power comes great responsibility.
HTML5 have its own flaws and the more powerful it’ll become it will get even more.
Ever since I opened my blog at March 2006 the tagline I’ve chosen was “Flash And Everything Else”. Even though Adobe Flash wasn’t always the main thing I was doing, it always had a warm spot at my heart and I always kept on updating with everything related to it.
Flash could have lived for another few good years but Adobe decided to kill it prematurely, oh well it still have some few valid uses I guess – have fun. I haven’t touched it for the past 3/4 year.
Like many Flashers the transition to other client side technologies is natural, especially since many of us used it before.
What I do right now is mainly mobile, web, and mobile-web, but using something like “HTML5 And Everything Else” doesn’t sound good. All other similar variations failed as well. I’ve chosen “Tech And Everything Else” so I guess I’ll have to be more general and write about tech in general. I have some things to say – stay tuned.
In poker, a brave fold would be a case where you have a strong hand and you are already committed to the pot (you’ve already put in some substantial amount of money), even so, you sense that your opponent might have a stronger hand and you fold – losing your strong hand and the pot. Staying in the game would have required you to danger even more money, maybe too much.
Adobe was in similar situation, it has a very strong hand – Adobe Flash, and has already committed a lot of money on this loss leader. But staying in the game would have required them to put even much more money/resources on it. They would have to be fully committed, they would have to be “all-in”, borrowing from poker again. They could have end up winning the hand but if they will lose they can be out of the game completely.
In retrospect, seems like wasting all that resources on porting Flash for the mobile was good only for Adobe and us in the Flash crowed to be able to give Steve and the other mongers the finger, telling them – see, Flash runs well on the mobile! It was supposed to be obvious that Flash will never rich similar ubiquity on the mobile as on the desktop. Than again, everything is easier in retrospect.
There are many reasons why Flash succeeded where 1,000 other plugins failed. And it’s also amazing how a relatively small corporate like Adobe managed to be in front of much bigger competitors, Microsoft with it’s buckets of money and Sun with it’s Java Java Proxy Proxy, to name only two.
I’m just sick of layman’s that are quoting laymen’s that are quoting a reporter that quotes another reporter that quote “someone who knows” that quote anther one that “really knows” – it’s like that game, what’s is name?! The other day I’ve heard from someone who should have known better that – “lake of multithreading killed Flash” – you’ve probably heard that BS before, yep it’s total BS. Add that to the many other miss-consumptions people make regarding this issue and it piles to a big pile of sh<bip>it. I wonder how many of these laymen’s knows the hassle of cross browser HTML development?!
So, congrats on the brave fold Adobe, with the right hand I solute you. On the other hand I’d say f*ck you big proprietary beast, how dare you stab so many people in the back.
The revived attack is exactly the same as my 2008 POC it even uses lots of my code. The different is that instead of using the settings manager html page as the source of the iframe it’s now uses the setting manager swf directly. Actually, this was the first thing I’ve tried after Adobe frame bust the settings manager pages. It didn’t work well for my windows browsers so I’ve ditched it. One of the first comment on my Webcam Clickjacking post created the same thing and gave a link to it (it is now links to an AD). So obviously everyone knew it or at least thought about it – everyone except Adobe.
The Flash Player provide great power on the web, it’s still the only practical mean to interact with the user’s webcam and microphone. You know the cliché, with great power comes great responsibility. Adobe needs to be vigilant when it comes to her users security and privacy, and her users are practically everyone.
Obviously that every new version of the Flash Player should go through vigorous security testing. It’s also needs to be done with every new browser and OS version. That’s a huge matrix but it needs to be done. For example, browser change the way they embed plugins which can easily leads to flaws even if the Flash Player stays the same.
Back than Adobe knew about the ClickJacking beforehand coz they were informed by RSnake and Jeremiah Grossman. They didn’t knew specifically about my POC and the way it exploits the settings manager, but anyhow they should have at least frame-bust every related page. It’s insane that in all of these 3 years no one bothered to at least Flash-bust the settings manager SWF and prevent the resurrection of my POC.
BTW, good job Feross Aboukhadijeh, my name is Guy Aharonovsky – whois is easy…
Not dealing much with HTML lately, I’ve only noticed this new feature now. The thing is that HTML5 let you change the page’s URL path without refreshing the page content. Like in this example from google 20thingsilearned.com – when you flip the book’s pages the url changes for easy bookmarking and SEO, but the content doesn’t flicker. If that not seems like much to you, than you don’t know what you’re talking about.
All that is needed to achieve the magic is this line of code:
Amazing! There is no need for the ugly hash (#) anymore in order to achieve AJAX/Flash deep linking… oh wait… it doesn’t work in IE9 and FireFox 3.x (yet)
Thinking “I know all that browsers can do” this one got me wondering. I’m coming to realize that even though I still believe I generally know most of its capabilities, with HTML 5 there probably lots of things that browsers can do which I’m not yet familiar with. I swear I will skim through the spec when I’ll have the time, there must be many interesting security flaws in there… or is it?!.
This is a never seen before example of the upcoming version of Away3D engine taking advantage of the new 3D API of the upcoming Flash Player – code named Molehill.
This example and more, were presented by Lee Brimelow today in the FlashIsrael event and he said he just got these a few hours ago from Away3D devs, so chances are you never seen it before.
There were other impressive examples with even much more polygons and such. I’m sure we’ll get to play with all of it in a few weeks when the labs version of Molehill will be available along with the new Away3D engine – – Great!
It was great to finally be able to meet Lee and all the others. After years of reading Lee’s blogs and seeing him in videos, he seems like a truly funny, smart and nice dude… ah yeah… and tolerant for annoying people with cameras — Thanx
The challenges of presenting large amount of data visually in a way that one will be able to easily digest and understand it are becoming more viable daily. The democratization of data, challenge authors to think about new ways to visualize it.
The above text, is pretty much the summery of this highly inspiring video called Journalism in the Age of Data. As the name suggest this video is mainly about journalism data viz, but, it is also highly inspiring for anyone dealing with data of any kind.
Many RIA applications today struggle with the ability to present large data sets to the user in away which he can digest and understand. I would say that many of these new apps, especially in the enterprise space and from the last few years, are built upon the Flex framework.
As RIA developers many of us face these challenges in the day to day work. Obviously, the charts that comes bundled with the Flex framework won’t suffice most of the time, and one would need to relay on third party components or role her own. Not so long ago, its seemed that this area is blooming. The amazing open source projects like Flare and BirdEye. The slick commercial components, IBM ILOG Elixir and KapLab – ridiculously priced and has draconian licensing, respectively.
Today, these open source projects seems to be abandoned and the commercial tools prices seem to increase. The field of online data visualization is exploding and yet the Flex tools seems a bit halted.
The somewhat halted SilverLight with its basic charts and decent third party components. And the HTML5 alternatives, like Protovis, which still needs some maturity – doesn’t seem to provide the alternative.
Anyhow, if one wants to create something “out of the box”, than she needs to use something like Flare as the base and invent her own data viz, other than use some slick, out of the box, components.
We all welcomed this addition to the Flash Player 10.1. The ability to catch all exceptions inside the player has lots of benefits, from proper logging on to not annoying users that has the debug player.
There are some code examples of how to implement this feature, and indeed it was a breeze adding it for pure Flash and to Flex 4.x projects. But, somehow I had trouble making it work for Flex 3.x project. I know it’s a player dependent but still something in the Flex 3.x framework killed this functionality.
Anyhow, eventually it did worked for me on the Flex 3.x, but I couldn’t make it to work when even 1 of the libraries, except playerglobal.swc, isexternal or RSL. I guess there is no escape from monkeying with the RSL loader to see if I can find a solution there.
I’ve mad these examples available, in case you need a complete example and/or also struggling with this feature on Flex 3.x. Also, in these examples I didn’t force the user to update the Flash Player and used a compiler argument -target-player=10.1.0 instead of modifying the html wrapper.
All examples are viewable here, you can right-click on “View Source” or download the complete Flash Builder 4 projects (for Flex Builder 3 project, look at the comments).
I was going to congrat Adobe for their fix to the private browsing in Flash, this was my original text:
I’m glad to say that Adobe has fixed the minor issue they had with the new Flash Player 10.1 private browsing. I’ve written before on how a developer can tell the user’s browsing mode.
The Flash Player that is installed with CS5 is 10.1.52.14 which still suffer from this bug. If you surf the web using private browsing mode you should update the Flash Player to the latest, currently, 10.1.53.38 (RC4). Actually you should update it anyway.
But, when I went to see what have they changed in order to fix it. I saw that both modes, now, have the same limit of 100KB, but it’s still differ. While trying to save more than 100KB in normal browsing mode the status is “pending” while in private browsing mode it immediately fails.
Making this demo functional again required changing 1 line of code. Using any Flash Player, from 10.1_beta2 till latest 10.1.53.38(RC4) should show you if you’re in private mode or not.
So, please, again, normal and private browsing modes should behave exactly the same from a developer standpoint. Making local storage limit the same 100KB was a step in the right direction, but, it’s not enough. Let any Flash content ask for more storage even if it’s in private mode and allow the user to accept it, just remember to delete the user’s choice along with the local storage.
BTW, it might be possible to trick the browsers to tell you the user’s browsing mode, using HTML5 localStorage for example, and without using Flash.
The updated source code is below:
* This class will tell the current browsing mode of the user
* Tested with Flash Player 10.1 beta 2 - 10.1.53.38 (RC4)
* for more info go to:
[SWF(backgroundColor="#FFFFFF", width="400", height="35")]
public class KissAndTell extends Sprite
private var _tf:TextField;
public function KissAndTell()
private function initStage():void
stage.scaleMode = StageScaleMode.NO_SCALE;
stage.align = StageAlign.TOP_LEFT;
//try to save 140kb into the local storage
private function saveData():void
var kissSO:SharedObject = SharedObject.getLocal("kissAndTell");
kissSO.data.value = getDataString(140);
status = kissSO.flush();
trace("Save failed - private browsing mode");
if(status && status == SharedObjectFlushStatus.PENDING)
trace("Pending status - normal browsing mode");
/*** Changed in the newer versions of the Flash Player 10.1 beta ***/
//If we can save more than 100kb then we're in Private Mode
else if(status && status == SharedObjectFlushStatus.FLUSHED)
//Listening to this event just to prevent exception on debug players
private function netStatusHandler(event:NetStatusEvent):void
trace("event.info.code: " + event.info.code);
private function setPrivateText():void
_tf.text = "Private Browsing Mode";
_tf.backgroundColor = 0xAA2222;
private function createTF():void
_tf = new TextField();
_tf.autoSize = TextFieldAutoSize.LEFT;
_tf.defaultTextFormat = new TextFormat("Arial, Verdana", 20, 0xFFFFFF, true, null, null, null, null, null, 10, 10);
_tf.text = "Normal Browsing Mode"
_tf.backgroundColor = 0x22AA22;
_tf.background = true;
private function getDataString(kb:int):String
var t:int = getTimer();
var word:String = "GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_GUYA.NET_";
var a:Array = new Array();
var lenNeeded:int = kb * 1024;
while(count * word.length < lenNeeded)
var ret:String = a.join("");
trace("time for generating " + kb + "kb: " + String(getTimer() - t) + " ml");