Cenzic 232 Patent
Paid Advertising
web application security lab

Flash Can Steal User Credentials

Amit Klein has been coming out with some great stuff lately. First with his Flash header spoofing and expect vulnerability and more recently using the same header spoofing he can actually use Flash to steal user credentials. Holy crap!

Here’s the basic principle. If the user is sitting behind certain transparent proxies, if you send a Host: header through the Flash redirection the transparent proxy will send the request to whatever Host you specified. The browser is ignorant of that and will add the credentials as expected and your credentials will now be passed to another host.

Likewise if the machine you are interested in is sitting on a shared host you don’t need a transparent proxy. Just get an account on the same machine (same IP) and have the content forwarded to you instead of the correct virtual host. Gotta love it.

Add this onto RFC 1918 space JavaScript proxies and now you can steal internal user information and send it anywhere to be used by other users at a later date (assuming that user navigates away from the XSS proxy or otherwise closes the connection). But even without taking it that far, just casting a large enough net of users on a large enough application could lead to thousands of compromises on all sorts of different websites (as long as the user had authenticated with those websites recently). Great find, Amit!

Comments are closed.