Slashdot Mirror
Freaky Flash 6 Fishy Features
donpardo writes "I upgraded to Flash 6 last week (to patch a security hole). When I right clicked on a Flash ad at abcnews.com, and pulled down to Settings I got a tabbed dialogue box asking if I wanted to give them access to my cam and microphone. Clicking through on the tabs revealed that the microphone and the camera had already been detected and that the microphone was active. I doubt the camera or the microphone were sending information out but this still seems invasive. Here are Macromedia's statements about the mic and the camera. In addition there is a setting to ask how much information the site can store on your computer. The default value is 100K. According to the information statement "Data can be anything from your user name to your current score in an interactive game to a list of stocks in your portfolio ... The data is not public, but the privacy of this data depends on the policies of the web site where the movie is hosted."" I thought the first sentence of this submission was telling ...
Okay, security's important, but come on people. The settings are configurable, the policy is easy to understand and what we're talking about in terms of the data being stored is essentially what amounts to Cookies for Flash. The camera and mic stuff can be turned off. If you don't like Flash this won't make you love it and if you love Flash this won't make you hate it. So people are posting about WHAT exactly?
"I have to turn my camera off for Flash! Invasion of privacy! Invasion of privacy! Cookies are evil! The sun is disappearing, the dragons are coming! The dragons are coming!
Is it just me, or does this sound like domain-limited cookies?
It says: "This data may be accessed by the Flash movie that is running or by another Flash movie on the same web site."
My impression is that the data it collects is not data sitting on your hard drive, it is data that relates to the flash application you are using.
-Zordok
Well someone might want to write a flash program that allows you to upload pictures of yourself, or sound clips.
Honestly, if you're this paranoid you should be more concerned that your OS has control of your camera and microphone, since your OS was written by Microsoft!
graspee
Ok, it's good to be concerned, but if you read the description, it's simply a method for a Flash movie to store information on your computer in a similar fashion as a web page stores information through a cookie.
This info is only available to other Flash movies from THE SAME SITE, similar to the protection provided for cookies.
It's simply a way to provide persistance from session to session at the same web site. I still wouldn't trust it with my credit card numbers, but Macromedia isn't Hitler reincarnated.
Calm down. This has only been a test.
q:]
MadCow.
I used to have a sig, but I set it free and it never came back.
Why is this a big deal? Shared objects are exactly the same as javascript cookies. whats the difference?
p ap ers/security.pdf
once again, Slashdot shows its lack of understanding of flash technology by posting this fud.
btw, this is all covered in the Flash mx security whitepaper:
http://www.macromedia.com/desdev/mx/flash/white
If by default your options are turned off, then is there really any large amount of harm?
Storing information on your computer is an old practice (cookies), and contrary to popular belief, isn't all that bad.
How many of you stay logged in on slashdot when come back to the site? That wouldn't be possible without "maintaining state" between visits.
Personally I commend Macromedia for giving developers access to such important features (stored variables) and trying to get others into the mainstream (integrating video and mic).
If you think this is an underhanded deed, then why don't you check your cookie files, you'll see quite a few, 90% are there solely to help you (10% could be tracking information, which in the end, just gives the user more relevant information).
All these scumwares that check for updates or send my browser history, bookmarks, cookies, registry keys, and directory trees to various sites keep freezing my ssh sessions. If they started to broadcast my mike, I'd be screwed. My dialup bandwidth isn't a resource any program can use at anytime, it's my precious property and I'm pissed off everyone is abusing it.
You can find information on how to uninstall Flash here: http://www.macromedia.com/support/flash/ts/documen ts/remove_player.htm
Prevent email address forgery. Publish SPF records for y
There's probably an ultrasecret club with $1000 membership dues that gets access to the stealth webcams.
Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
Oh you are? So that your connection will be noticeably slowed by all the information about you that's being extracted?
visit the hwky website for a lyrical genius infusion.
How can Flash be removed from 1) Windows, and 2) Linux?
Reasons not to run Flash:
Flash presents unknown security risks. Sometimes Flash and other Macromedia products have been the point of entry of trojans and viruses, as mentioned in this documentation of a very serious bug, Macromedia Flash Activex Buffer overflow.
Flash on a website advertises Flash. There must always be some notice that says "Download Flash if you don't have it", and a link to Macromedia, so that web site viewers can get the latest version. This forced added content distracts from the intended content.
Flash is nearly always used to provide images that are irrelevant to the content. Except for those who care about bright, shiny things more than content, Flash gets in the way. Flash authors are seldom qualified to provide moving picture content, and, even if they were, Flash is a very limited cinematic tool.
Flash often causes long load times. Long load times communicate that the website viewer's time is less important than the website creator's love of movement. Flash often causes Website viewers to wait for "Loading..." messages.
For website viewers who do not want to run Flash and other Macromedia software, or cannot, web sites using it are broken.
By using Flash, authors of Flash content may cause the URL of their customers to be transmitted to Macromedia. If some disloyal Macromedia employee, or Macromedia itself, thought of some profitable reason to approach those customers directly, Flash content authors could lose business.
Flash content is proprietary content. It is the money-making scheme of one company. This tends to undermine web standards like HTML. The Internet is a public utility for all of us to use. Proprietary methods go against that spirit.
MOTHER OF GOD that is so SINISTER of them. Surely, the bit is there to serve SATAN!
I mean, how could it serve a legitimate purpose if you were using your webcam for, say, security purposes - to watch your empty office or house while you were away, or you just didn't want the LED to blink when it took a picture for say - your robot vision app? Won't someone PLEASE get these hardware engineers to stop including useful features in their devices?
The intel webcams have always had this nice little shutter on the front that you can close. A very nice feature.
Flash started off as a very interesting technology about 6 years ago, and gained popularity amongst users because it was small (142k download or so), relatively innocuous (Only two exploits so far AFAIK) and it brought those things to the web that java applets had promised but failed to do. There was a huge demand for Flash coders in the middle of the Dotcom boom, especially when Flash 4 hit the scene with scripting abilities, allowing developers to make fancy interactive sites, and even more so when Flash 5 came around which improved the scripting and performance yet still remained small and relatively safe.
What happened?
Thousands of dotcommers made enormous flash intro animations to their sites (about half of them forgetting to make a "skip intro" link), which rapidly irritated many many visitors to said sites (a study on the irritation factor of flash intros and banners would be *very* interessting). At the same time as the dotcom scene started crashing around everyone's ears, desperate internet marketing whizzes decided that flash would be a brilliant vehicle for advertising, pushed along by an equally desperate Macromedia, whose products were no longer selling like hot cakes. The results of those ideas can be seen on almost every portal on the web (ZDNet is my favourite with slashdot also not doing too badly), and visitors reactions are known to everybody it seems except for the mindless marketing people who push it. In this way it is very similar to spam.
Macromedia spent a fortune on making Flash a tool that would liven up the web and make colourful, interactive, animated, dynamic sites possible especially in conjunction with macromedia's backend flash application server, generator. Apart from a host of sites early on this trend has died out almost completely, because what macromedia didn't realise is that just like web designers/coders have to cope with different browsers, they also have to cope with users who haven't and won't use the plugin, and therefore go for the lowest common denominator in websites:html with one or two pics etc. Flash didn't save a single dotbomb from going under.
Now, just like any other large company (ahem), they need to add "features" in order to carry on making money with their product. Flash 6(MX) now has built in video, microphone and cookies. I very much doubt this is suddenly going to improve the content of all the Flash we've been getting, although it may kill one or two other companies' media players(Quicktime, WMP, Real) but, in moving out of the traditional small player that they've had, it will fast become larger, and someone is sooner or later going to find some hole in their player (actionscript getting access to the drive while ostensibly looking for cookies? Exploiting a hardware driver(keylogger)?). For all my irritation with Sun's Applet saga and java on windows, Sun worked very hard to make the language and VM design secure (and the fact that of the few exploits with browser JVM's being mostly in MS' JVM does show this). Macromedia doesn't AFAIK have that much experience in security wrt clientside technologies and time will tell what will happen with this player.
I used to be a Director programmer and with Director you could pretty much do anything on the client machine with no checks and shockwave, director's browser plugin went in the same direction as flash is going: first a straight player and then with laetr versions you could download all sort's of xtras onto the client machine. I once, as a security test, wrote a screensaver with shockwave, that everybody in the company loved (it even won an award for design). What no one realised until we tald them, was that the screensaver had been merrily scanning people's drives in the background and uploading filelists to us.
MM is selling tools to build internet based applications. Considering their assets (Allaire), that's what they want the internet to be about. Flash is now capable of being used to build cross-platform applications, with similar advantages to Java. MM is taking advantage of Flash's market penetration. By adding video delivery to Flash - assuming it works comparably to QT, Real, and MS - MM enters the video player market at the top in terms of market share. Many developers will choose to use Flash to deliver video because everybody has it - Flash side-steps the problem of delivering video in 2 or 3 formats, just as it side-steps the issues of 2 or 3 OSes and 2 or 3 browsers. And with the growing popularity of video chat, Flash again side-steps the problems of 2 or 3 different kinds of software. Rather than building a web site that relies on launching a separate video chat application (which one?), you can build video chat into your site or application. For developers, these kinds of capabilities are great. Hopefully someone will use it to build a free open source video chat application and take the pain-in-the-ass out of video conferencing.
As for 'controlling our machines remotely' - this is old hat. It was probably 4 years ago that I heard about the Coke ad that would open a user's CD tray (obviously created from a tech support joke). What's Flash 6 adding to this? There are lots of good reasons for adding 2 way video support to Flash which are far more important that seeing anybody draped across a keyboard - like losing millions of dollars.
for anyone using voice recognition, or any other application where keeping your mike at the CORRECT
level is important. What right do they have to change my settings?!
I have never been a big fan of Flash. Not that it is a bad technology, but just like anything else that is remotely cool people use, abuse, and misuse it to the point where the cons outweigh the pros.
I guess my biggest beef with Flash is that people make IT the content as opposed to using it to accent the content. Ever been to a site where you can't bookmark shit and none of the browser navigation does shit because hitting back only restarts the whole thing? That is the kind of stuff that drives me nuts...
Just my $.02...
--Jon
what security breaches?
You forgot something very important. Sometimes there has been more than one upgrade to Flash within a month. If a web site uses a later version of Flash than is installed, you see the message.
afaik, there are flash versions 3 thru 6, with about 2 years between the version steps. there is no flash 5.2.
The fact remains, when you use Flash, you are giving your customer list to Macromedia, and to whomever has access to Macromedia computers.
you are providing them with the urls of companies that have an swf on their site. this could have been any authoring tool that generates swf. but you're right, they probably do this so they don't have to search the web for swfs.
The viewer is not aware of any contract. The viewer is aware that he or she must wait. Again, this is extremely bad advertising.
the viewer doesn't have to do anything. either he or she waits, or decides that it wouldn't be worth it. swfs are small. you can make big swfs, and you can make swfs that really suck. you also can make pretty shitty html sites. if you have that sort of talent.
The company is like Microsoft in that they tend to push the limits of what people will accept so that they can make more money.
they opened up the standart. i don't know what you mean by pushing the limits of what people will accept. but as a company, macromedia wants to make money. just like any other company.
--
making up good sigs is a hard thing to do.
You're a bit naive.
So you're saying that no one would want to see a CEO's webcam that has confidential papers in view of the picture? Papers that could give a competitor an advantage? (or anyone--such information could make a person very rich in the stock market) ...or how about a credit card in view of the cam. Maybe those items would be hard to read, but someone could get lucky, and the mic wouldn't even have this sort of problem if any of this info is spoken aloud. In fact the mic could probably catch information that is even more sensitive...
Maybe they don't really want to look at your webcam pics, but use them to embarass you. Ever use your computer in your underwear? Ever change in front of your webcam? Ever pick your nose? Those events could be posted all over the internet.
So it is off by default. That doesn't guarantee that the plugin doesn't have a bug somewhere that'll allow a webmaster to get access to the webcam or mic anyway. It's another possible way some wacko can access your system. Granted that the most used browsers have known security holes that are much worse, so to some degree you have a point, but it is still a concern.