Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Doh! WikiLeaks' PDF viewer springs XSS vuln

Just link directly to the docs, says frustrated surfer

Wikileaks' Flash-powered PDF reader has sprung a vulnerability or two.

The whistle-blowing website uses an open source Flash library called FlexPaper to display PDF files. Unfortunately various coding errors left FlexPaper open to cross site scripting and content spoofing.

Developers behind the open source web based document viewer software have developed a patch to resolve the bugs.

“We have confirmed this XSS security vuln in our GPL flash viewer and patched it. New version: http://static.devaldi.com/GPL/FlexPaper_2.3.0.zip,” FlexPaper told El Reg. “Most Flash security holes were patched in flash version 9 and FlexPaper requires Flash 11 but we have confirmed this XSS.”

The discovery of the bugs by security researcher Francisco Alonso has provoked http://www.wikileaks-forum.com/security-support/608/-flexpaper-pdf-viewer-used-on-wikileaks-org-presents-security-risk-for-users/32700/msg66862#msg668621:3 on WikiLeaks' forums that the vulnerabilities might be abused to de-cloak users, threatening the privacy of WikiLeaks users in the process.

Hackers (state sponsored or otherwise) might use Flash components specifically to de-cloak users. It might also be possible to post links to external content as part of attempts to (further) discredit WikiLeaks. Issues similar to the use by the Feds of Metasploit modules to uncover the identities of Tor users are feared.

“Given the fact that most browsers use plugins to enable the reading of PDFs, we strongly urge Wikileaks to link directly to PDF files instead of using third party software that could put users at risk,” a WikiLeaks forum member advised.

WikiLeaks did not respond to our requests for comment. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like