How the love of music helped find vulnerability in Flash

On a warm winter evening, I was sitting at a computer and decided to relax by playing the piano. Since I don’t have a piano, I don’t have a synthesizer, and, using the search, I started looking for an online piano with examples for a regular QWERTY keyboard.

The search led me to a forum page where many online services were offered. By clicking on one of them and playing a lot, I opened a new tab and began to write the address of the desired site. What was my surprise when, when I entered the address, I heard the sounds of a piano.

Not believing, he tried to dial something else and again heard a sound. I began to figure out what program the sound was coming from, because I had closed that page with the piano, but the page with the forum remained. By poking, closing several tabs, the sound source was found. It turned out to be a Flash piano ZebraKeys, posted in a message on the forum.
Realizing that this is a serious vulnerability. I started to try in other browsers (before that it was in Oper ).

Check showed:
Mozilla - the sound was made in all tabs, including when the focus is just on the page;
Chrome - only in the current tab and when the focus is in any Flash application on this page;
IE 9- only in the current tab, including when the focus is just on the page.

Since this vulnerability could lead to the interception of personal data, including passwords, letters were written to the companies Opera, Mozilla (in the Mozilla Security Bug Bounty Program) and Adobe. Since I do not speak English colloquially, I used Google Translate.

Within a day, Opera was the first to respond , thanking for the error found and correcting it in a short time, switching me to a Russian-speaking employee to make it easier to convey my thoughts.
Flash applications now receive keyboard presses only when a Flash application is in focus, even in a different tab. It’s not possible to separate by tabs, as in Chrome, since Chrome has separate processes for each tab.

MozillaShe answered later, saying that they can’t repeat it, describe which OS and plugins are installed. Answering that Windows OS and such and such plug-ins, I waited further for an answer, and with surprise I heard again, I can’t repeat the problem. Having written to them once again that Windows, and not Linux and not Mac OS, finally heard the answer from Mozilla, that yes, it was possible to repeat, we tried on other OS, tried on Windows and heard a sound. Thanking for my perseverance and the error found, they also wrote that the bug was known (provided a link) and this problem is already being solved. That is, $ 3000 for a synthesizer under the Mozilla Security Bug Bounty Program I can not see. By writing to them that they could write the vulnerability message themselves, retroactively. By the way, a little less than a month has passed and in the new Mozilla 9 this vulnerability is present and you can "play the piano right in the address bar."

Adobe still hasn’t answered, although I wrote to the address that was hardly found on the Internet, support [] It may not exist, but on the website without registration a form for sending something was not found.


Vulnerability in one way or another is present in all browsers on Windows, since Flash on this OS uses the Windows API, instead of receiving keyboard events through the Browser Plugin API (NPAPI). There is a way to block reading keys for all flash applications, but it is impossible to do this for individual applications. That is, either all flash applications will read the keyboard, or there will be none (thanks for the clarification given to an Opera employee).

PS On that page of the forum there is an excellent piano that will be interesting for people who own the ten-finger printing method, since there you can open simultaneously examples of melodies (which key on a regular keyboard to press) and the piano itself. Very comfortably. Also in their group on FaceBook there are many other examples.

Also popular now: