Rosetta Flash - SWF encoding for calling from JSONP

    Michele Spagnuolo , a Google security specialist, has written a utility that can encode any SWF file with any dictionary.
    Why is this needed? Everything is very simple - such a file can be transferred as a callback parameter to JSONP on the site from which you need to get information, so you can bypass Same Origin Policy.
    This problem was known for a long time, however, it was not paid much attention precisely because it was extremely difficult to get a SWF file consisting of only characters that can be set as a callback parameter, however, now such a tool has appeared.
    The utility uses zlib, the Huffman algorithm, and the bruteforce ADLER32 checksum.

    Of the major services, the following were vulnerable:
    • Google Services (,,
    • Youtube
    • Ebay
    • Instagram
    • Twitter
    • Tumblr
    • Olark

    How was the vulnerability used?

    Suppose there are two domains: controlled by us and one that needs to attack

    On there is a JSONP script that takes a parameter from the characters to be printed:

    There is a secret page that gives out a secret if you access it with the cookie set

    When you visit the page , the user will find the following code:

    Where is a script logger.

    The user's browser will download the SWF file from, open the page with the secret (and with the correct cookies, of course), and send its contents to the remote server of the attacker. Everything is quite simple and typical.

    At the moment, Adobe has released an update to Flash Player, in which the exploitation of this vulnerability is impossible.


    Information in the blog of the author
    More detailed information in PDF
    Utility on Github

    Also popular now: