Submission + - "Rosetta Flash" attack leverages JSONP callbacks to steal cookies! (arstechnica.com)
newfurniturey writes: A new Flash and JSONP attack combination has been revealed to the public today dubbed the "Rosetta Flash" attack..
JSONP callback functions normally return a JSON blob wrapped in a user-specified callback function which the browser will then execute as JavaScript. Nothing out of the ordinary here. However, the "Rosetta Stone" attack has leveraged a method of crafting a Flash file to contain a restricted character set that's usable within JSONP callbacks (i.e. in a URL). By combining the two, the attack demonstrates it's possible to use a JSONP URL with the contents of the crafted flash file as the callback function. When set as the data of a standard HTML object tag, the SWF file executes on the site being targeted bypassing all Same-Origin policies in place.
Services such as Google, YouTube, Twitter, Tumblr and eBay were found vulnerable to this attack; however, several were patched prior to the public release and Tumblr has patched within hours of the release.
JSONP callback functions normally return a JSON blob wrapped in a user-specified callback function which the browser will then execute as JavaScript. Nothing out of the ordinary here. However, the "Rosetta Stone" attack has leveraged a method of crafting a Flash file to contain a restricted character set that's usable within JSONP callbacks (i.e. in a URL). By combining the two, the attack demonstrates it's possible to use a JSONP URL with the contents of the crafted flash file as the callback function. When set as the data of a standard HTML object tag, the SWF file executes on the site being targeted bypassing all Same-Origin policies in place.
Services such as Google, YouTube, Twitter, Tumblr and eBay were found vulnerable to this attack; however, several were patched prior to the public release and Tumblr has patched within hours of the release.
