'Rosetta Flash' Attack Leverages JSONP Callbacks To Steal Credentials

New submitter newfurniturey writes: A new Flash and JSONP attack combination has been revealed to the public today. It has been dubbed the "Rosetta Flash" attack. JSONP callback functions normally return a JSON blob wrapped in a user-specified callback function, which the browser will then execute as JavaScript. Nothing out of the ordinary here. However, the new attack has leveraged a method of crafting a Flash file to contain a restricted character set that's usable within JSONP callbacks (i.e. in a URL). By combining the two, the attack demonstrates it's possible to use a JSONP URL with the contents of the crafted Flash file as the callback function. When set as the data of a standard HTML object tag, the SWF file executes on the targeted site, bypassing all Same-Origin policies in place. Services such as Google, YouTube, Twitter, Tumblr and eBay were found vulnerable to this attack. Several of these services fixed the vulnerability with a patch prior to the public release, and Tumblr patched within hours of the release.

Re:haven't we learned from the last 25 exploits?

Some of us would like the internet to be ... well ... useful.

Re:A harmful chaining of shitty browser hacks.

[holostarr]

Either come up with something better or shut up. The browser is far from perfect, but its continuously evolving and is the best platform currently in existence because of its widespread adoption, standards and ease of development compared to all other platforms. Even many desktop and mobile apps these days are wrapping the browser (or built on top of it) in one way or another (for example PhoneGap and nodejs) and use responsive design to assist with the development. Outside of few specialized areas where native client side applications are still necessary, technology is moving towards a new direction and the browser and platforms such as Chrome OS are a the centre of it so you better accept it.