Friday, September 29th, 2006
In this blog entry, Chris Shiflett takes another look at some of the dangers that can come up with cross-site Ajax via a Flash object embedded in the page. He mentions a previous discussion where Chris points out the filename-specific nature (crossdomain.xml) of this example.
Julien (author of the example) replied in the affirmative that this was the case and Chris, amazed that this was the case, gives an example of how it could be exploited (including a test performed on Flickr). He continues on, talking about pulling in others more experienced with Flash to make sure this problem was true. They find it is and even went to far as to create a simulation of the Myspace worm to show its potential for abuse.
Chris also recommends:
If you have a public API and want to allow cross-domain Ajax requests with Flash, be sure to use a separate domain. If the user interface and API operate in the same domain, there’s almost no limit to what an attacker can do.
Posted by Chris Cornutt at 7:51 am