'Rosetta Flash' Attack Leverages JSONP Callbacks To Steal Credentials 68
New submitter newfurniturey writes: A new Flash and JSONP attack combination has been revealed to the public today. It has been dubbed the "Rosetta Flash" attack. JSONP callback functions normally return a JSON blob wrapped in a user-specified callback function, which the browser will then execute as JavaScript. Nothing out of the ordinary here. However, the new attack has leveraged a method of crafting a Flash file to contain a restricted character set that's usable within JSONP callbacks (i.e. in a URL). By combining the two, the attack demonstrates it's possible to use a JSONP URL with the contents of the crafted Flash file as the callback function. When set as the data of a standard HTML object tag, the SWF file executes on the targeted site, bypassing all Same-Origin policies in place. Services such as Google, YouTube, Twitter, Tumblr and eBay were found vulnerable to this attack. Several of these services fixed the vulnerability with a patch prior to the public release, and Tumblr patched within hours of the release.
haven't we learned from the last 25 exploits? (Score:4, Insightful)
Keep javascript and flash disabled.
That is all. Letting random web sites run scripts on your computer has never been a good idea.
Enable it for your bank if you want. Otherwise, keep it disabled, and you'll be a lot happier (it keeps crapsites from foisting their crap on you), more secure from various exploits, and will maintain more of your privacy from all the data harvesters that depend on javascript.
Re:say wha? (Score:1, Insightful)
English translation: as usual, Flash is useless except as a vector for malware, viruses, trojans and keyloggers. Remove Flash from your system.
Re:haven't we learned from the last 25 exploits? (Score:5, Insightful)
Expect to be flamed into oblivion by all the 'web devs' that cant be bothered to learn how HTML works and rely on this crap instead, though.
The web - the real web, the HTML web, appears to be shrinking at the moment. New content is often hidden behind some kind of opaque app crap for no apparent reason and with no actual webpage for fallback (thanks google!) and old content occasionally gets removed as well. Each time this happens, it makes it even harder and less likely to revive the healthy web we once built with such love and care.
And naturally the people that are making a profit on this crap will just keep right on cranking it out as long as that is true.
The real victims here are future generations, who should inherit that world-wide web, but are set to inherit something entirely different - and inferior in every way (when judged from the users perspective - from the perspective of big Advertising of course the story will be different, but we built this web for humans, not for marketing.)
A harmful chaining of shitty browser hacks. (Score:5, Insightful)
It's basically a case of one shitty, half-assed browser hack (JSONP) being used in a way that allows another shitty, half-assed browser hack (JavaScript) to abuse yet another shitty, half-assed browser hack (Flash) to violate a shitty, half-assed "security" feature (same-origin policies).
The browser is truly the shittiest platform we've ever had. It may be widespread, but good god, is it ever shitty in so many inherent ways. It's just one smear of shit layered upon another. It really is broken all the way down.
Re:say wha? (Score:4, Insightful)
That's actually not quite true. Flash is a great way to develop simple games quickly and cheaply.
The problem isnt Flash itself (which is on the whole a fine product, used correctly) but the idea of using Flash as a substitute for a webpage, the installation of it as a browser plugin, and the auto-execution of it by the browser. None of that should be tolerated.
It's still possible to get a standalone flash interpreter and only feed it local, vetted files, which is really fine (or as close to fine as lots of other things you do every day, at least.) But Adobe seems to be trying their best to discourage that and force everyone to use it as an auto-enabled browser component instead. The one way to use the program that causes major problems is also the one way they want you to use it.
Everyone who has been infected as a result of this should really get together and sue these arseholes, because money is the only language they understand.
Re:haven't we learned from the last 25 exploits? (Score:1, Insightful)
Some of us would like the internet to be ... well ... useful.
It was plenty useful before Javascript was even invented. With a few rare exceptions, Javascript has not improved the web. It's made back buttons break, foisted 275 KB pages to do what 4K of HTML would do just fine, made videos break where a direct link would work, given us flashing crap, shit popping up, security vulnerabilities, disabled cut and paste which works again as soon as you disable javascript, and so forth and so on.
If you want the web to be useful, you should be pushing for only the most minimal use of Javascript.
Oh... unless you're one of the marketing types that hijacked the web that engineers built for you, who now want to data-mine everybody and serve "targeted ads" and build online profiles of what everybody does. In that case, your opinion makes perfect sense.
JS (Score:3, Insightful)
This doesn't surprise me. Few developers truly understand how many vectors JS opens up. Just KISS and let's move forward.
JS fanboys are ruining everything.
Re: haven't we learned from the last 25 exploits? (Score:2, Insightful)
Someone doesn't know shit about the web here...
The introduction of Javascript was when the Internet began to turn to crap. Many of us pointed out at the time just what a security nightmare it would be.