This advisory is available online at: http://www.securiteam.com/securitynews/5XP0B0U9PE.html Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach ------------------------------------------------------------------------ SUMMARY "Over 497 million Internet users now use Macromedia Flash Player to seamlessly view content created with Macromedia Flash, the solution for developing rich Internet content and applications." A vulnerability discovered in Macromedia Flash ad user tracking field allows a remote user to perform Cross-Site-Scripting attacks and retrieve session information. DETAILS About the 'clickTAG' option: Macromedia flash supplies user-tracking field to swf (flash movies) ads: "The clickTAG is the tracking code assigned by the ad serving network to an individual ad. The clickTAG allows the network to register where the ad was displayed when it was clicked on. This click through data is reported to the ad serving servers so advertisers may determine the effectiveness of their campaign. The code below will allow ad serving networks to dynamically assign a clickTAG to their ad. In this example, a getURL action is being assigned to a button that will navigate the browser to ["clickTAG"]. The "getURL(clickTAG)" statement appends the variable data passed in via the OBJECT EMBED tag and navigates the browser to that location. It is the tracking code assigned by the ad serving network, which allows them to register a user's click on that advertisement. ..." The information was taken from Macromedia designer's guide: http://www.macromedia.com/resources/richmedia/tracking/designers_guide/ Vulnerability details: Vulnerability in the clickTAG field enables a remote user to run malicious javascript code in the context of the remote web site, and therefore retrieve session information and possibly other sensitive information. For example in the following script: http://www.example.com/victim.swf?clickTag=XXXX ("XXXX" = arbitrary script or tag) Replacing "XXXX" with a script to steal cookies will enable an attacker to perform session hijacking if the session is saved in the cookie, or to gain the private information present in ad tracking cookies. Solution: "A new player version is NOT required. Macromedia Flash advertisements that accept clickTAGs need to validate that the clickTAG URL begins with "http:". This helps ensure the clickTAG does not contain malicious code." Quote from the official Macromedia security advisory. We recommend that all user input should be filtered for malicious code and characters and never trusted "as-is". Vendor status: We would like to thank Macromedia for its prompt response and cooperation for solving this issue. Macromedia quickly acted to notify possibly affected sites and has released an official security announcement, which can be found at: http://www.macromedia.com/support/flash/ts/documents/clicktag_security.h tm. Macromedia has also revised the Designer's Guide and added this note: "Note: The ActionScript in this Flash advertisement is verifying that the clickTAG URL begins with "http:". This is an important security measure. If you do not take this precaution, a malicious HTML page could source your SWF and pass a clickTAG URL that begins with "javascript:" or another scripting pseudo-protocol. If your ActionScript code were to call getURL with a maliciously crafted JavaScript URL, it would be possible for the site serving the malicious HTML page to obtain the contents of your HTTP cookies or perform other actions on your site's behalf." ADDITIONAL INFORMATION The vulnerability was reported by Scan Security Wire . ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.