Cross-Site gmail Using flash

Source: blog.watchfire.com

Gmail uses a Flash movie, named uploaderapi2.swf, for file upload operations. A short investigation revealed that it used two user-input parameters ('apiinit 'and 'apiid') as parameters to ExternalInterface. call (), a class that is used for interaction between Actionscript and the flash player container (a hosting HTML page in the case of browsers ).

Var flashParams: * = LoaderInfo (this. root. loaderInfo). parameters;
API_ID = "apiId" in flashParams? (String (flashParams. apiId )):("");
API_INIT = "apiInit" in flashParams? (String (flashParams. apiInit )):
("OnUploaderApiReady ");
.
..
...
If (ExternalInterface. available ){
ExternalInterface. call (API_INIT, API_ID );
}

A snippet from uploaderapi2.swf

The code above is vulnerable to a script injection attack: setting apiInit to eval and apiId to arbitrary JavaScript code, results in the execution of the JavaScript in the context of mail.google.com (the Gmail domain ). hence, by luring victims to load a pair crafted link, attackers cocould execute malicious JavaScript in the context of active Gmail sessions and fully impersonate their victims (manipulate and steal sensitive information from their accounts ). like other script injection attacks, a real-world attack cocould be refined by using techniques such as loading the malicious link in a hidden IFrame.

As can be seen in the screenshot below, before Google patched the aforementioned flaw, loading the following link popped-up an alert message with the cookies that are associated with Gmail's domain:
Https://mail.google.com/mail/uploader/uploaderapi2.swf? ApiInit = eval & apiId = alert (document. cookie ).

Gmail script injection screenshot

Transparent Attack
As presented in Stefano Di Paola's famous presentation, one of the interesting characteristics of Flash attacks is the ability to mount transparent attacks in browsers such as Firefox and Google Chrome. due to the fact that Flash is executed in the client-side, the malicious payload (in this case, the values of apiInit and apiId) can be hidden from the server by adding the '# 'sign before the query Part of the URL: https://mail.google.com/mail/uploader/uploaderapi2.swf? ApiInit = eval & apiId = alert (document. cookie ).

That way, the attacked browser sends a parameter-less request for https://mail.google.com/mail/uploader/uploaderapi2.swf (uploaderapi2.swf is loaded by Gmail with no parameters by default) -this request is therefore regarded by the server as standard and not alarming in any way. however, a successful exploitation is possible since the Flash player refers to the whole URL, including the attack payload, which comes after the '#' sign.

Remediation
The first parameter that is passed to ExternalInterface. call () determines the JavaScript function name to be executed. this parameter (API_INIT) has been updated to contain a hardcoded value ('onuploaderapiready') and does not rely on external user-input any more.

Acknowledgments
I wowould like to thank the Google security team for their quick responses and the efficient way in which they handled this security issue.