Hackers Luca Carettoni and Mauro Gentile found a badly-applied four-year-old Adobe patch allows attackers to steal information and commandeer accounts for three of the world's top ten websites and 'many' others.
The LinkedIn and Minded Security researchers say the indirect Same-Origin-Policy Request Forgery and Cross-Site Request Forgery bypasses relates to a failed patch (CVE-2011-2461) issued in 2011. It is intended to fix Adobe Shockwave files that are vulnerable when built through the company's Flex software development kit compiler.
"The particularity of CVE-2011-2461 is that vulnerable Flex applications have to be recompiled or patched; even with the most recent Flash player, vulnerable Flex applications can be exploited," the duo wrote in an advisory.
"As long as the SWF file was compiled with a vulnerable Flex SDK, attackers can still use this vulnerability against the latest web browsers and Flash plugin.
"As soon as we understood the potential risk, we conducted a large-scale analysis by locating SWFs hosted on popular websites and analysing those files with a custom tool capable of detecting vulnerable code patterns."
The pair published the ParrotNG tool for system administrators to detect vulnerable files on affected websites and will reveal detailed exploitation steps later on.
They say admins should recompile swf Flash files using the latest Flex SDK and patch using the Adobe tool. Unneeded swf files should be deleted.
Attackers would need to convince users to visit malicious websites in order to steal data or perform actions on their behalf, the pair say.
"Practically speaking, it is possible to force the affected Flash movies to perform Same-Origin requests and return the responses back to the attacker," they say.
"Since HTTP requests contain cookies and are issued from the victim’s domain, HTTP responses may contain private information including anti-CSRF tokens and user's data." ®