Update: Adobe has fixed this issue by framebusting the Settings Manager pages. Now, 99.9% of the users are protected from this specific exploit. Congrats on the fast response. —- Turn every browser into a surveillance zombie. The wet dream of every private eye and peeping tom. Imagine this scenario, »
Recently, a questionable Flash feature of writing to the user’s clipboard has been exploited. Adobe will finally fix this feature and it’ll require user interaction (mouse/keyboard click) in the upcoming Flash 10. IMHO the people in charge of the Flash Player security have chosen the best option, »
Update: Added a sterilized demo and the source code. CSRF (Cross Site Request Forgery) is considered one of the most widely spread exploits in websites today. I’ve written before about how a legitimate Flash file (swf) can be extremely viral. Few days ago I did a real attack, exploiting »
Update: I’ve posted a real world example of this bug being exploited. This one has the same behavior on IE6, IE7 and IE8 betas. I have only tested this with Flash swf files, but it’s likely that this security is applied and broken the same way, when navigating »
Update: Adobe Product Security Incident Response Team (PSIRT) has referred to this “Clipboard attack” Update 2: Aviv Raff has updated me about the fact that it won’t be that easy to replicate this attack using Javascript on the latest browsers and with the default security settings. Thanx. Lately there »