Cross-Site gmail Using flash

Source: Internet
Author: User


Gmail uses a Flash movie, named uploaderapi2.swf, for file upload operations. A short investigation revealed that it used two user-input parameters ('apiinit 'and 'apiid') as parameters to ExternalInterface. call (), a class that is used for interaction between Actionscript and the flash player container (a hosting HTML page in the case of browsers ).

Var flashParams: * = LoaderInfo (this. root. loaderInfo). parameters;
API_ID = "apiId" in flashParams? (String (flashParams. apiId )):("");
API_INIT = "apiInit" in flashParams? (String (flashParams. apiInit )):
("OnUploaderApiReady ");
If (ExternalInterface. available ){
ExternalInterface. call (API_INIT, API_ID );

A snippet from uploaderapi2.swf

The code above is vulnerable to a script injection attack: setting apiInit to eval and apiId to arbitrary JavaScript code, results in the execution of the JavaScript in the context of (the Gmail domain ). hence, by luring victims to load a pair crafted link, attackers cocould execute malicious JavaScript in the context of active Gmail sessions and fully impersonate their victims (manipulate and steal sensitive information from their accounts ). like other script injection attacks, a real-world attack cocould be refined by using techniques such as loading the malicious link in a hidden IFrame.

As can be seen in the screenshot below, before Google patched the aforementioned flaw, loading the following link popped-up an alert message with the cookies that are associated with Gmail's domain:
Https:// ApiInit = eval & apiId = alert (document. cookie ).

Gmail script injection screenshot

Transparent Attack
As presented in Stefano Di Paola's famous presentation, one of the interesting characteristics of Flash attacks is the ability to mount transparent attacks in browsers such as Firefox and Google Chrome. due to the fact that Flash is executed in the client-side, the malicious payload (in this case, the values of apiInit and apiId) can be hidden from the server by adding the '# 'sign before the query Part of the URL: ApiInit = eval & apiId = alert (document. cookie ).

That way, the attacked browser sends a parameter-less request for (uploaderapi2.swf is loaded by Gmail with no parameters by default) -this request is therefore regarded by the server as standard and not alarming in any way. however, a successful exploitation is possible since the Flash player refers to the whole URL, including the attack payload, which comes after the '#' sign.

The first parameter that is passed to ExternalInterface. call () determines the JavaScript function name to be executed. this parameter (API_INIT) has been updated to contain a hardcoded value ('onuploaderapiready') and does not rely on external user-input any more.

I wowould like to thank the Google security team for their quick responses and the efficient way in which they handled this security issue.










Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.