Same-origin violations when Adobe Flash loaded via view-source: scheme
- April 21, 2009
- Gregory Fleischer
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- Firefox 3.0.9
- SeaMonkey 1.1.17
- Thunderbird 126.96.36.199
Security researcher Gregory Fleischer reported
that when an Adobe Flash file is loaded via
view-source: scheme, the Flash plugin misinterprets
the origin of the content as localhost, leading to two specific
- The Flash file can bypass restrictions imposed by the crossdomain.xml mechanism and initiate HTTP requests to arbitrary third-party sites. This vulnerability could be used by an attacker to perform CSRF attacks against these sites.
- The Flash file, being treated as a local resource, can read and write Local Shared Objects on a user's machine. This vulnerability could be used by an attacker to place cookie-like objects on a user's computer and track them across multiple sites.
Additonally, Fleischer reported that the
could be used to bypass restrictions normally preventing content
view-source: from being rendered.
Thunderbird shares the browser engine with Firefox and could be vulnerable if plugins were to be enabled in mail. This is not the default setting and we strongly discourage users from enabling plugins in mail.