16th Apr 2003 [SBWID-6163]
Macromedia Flash ad user tracking field xss and session retrieval
Scan Security Wire [http://www.scan-web.com] reported:
"Over 497 million Internet users now use Macromedia Flash Player to
seamlessly view content created with Macromedia Flash, the solution for
developing rich Internet content and applications."
A vulnerability discovered in Macromedia Flash ad user tracking field
allows a remote user to perform Cross-Site-Scripting attacks and
retrieve session information.
About the 'clickTAG' option:
Macromedia flash supplies user-tracking field to swf (flash movies)
ads: "The clickTAG is the tracking code assigned by the ad serving
network to an individual ad. The clickTAG allows the network to
register where the ad was displayed when it was clicked on. This click
through data is reported to the ad serving servers so advertisers may
determine the effectiveness of their campaign.
The code below will allow ad serving networks to dynamically assign a
clickTAG to their ad.
In this example, a getURL action is being assigned to a button that
will navigate the browser to ["clickTAG"]. The "getURL(clickTAG)"
statement appends the variable data passed in via the OBJECT EMBED tag
and navigates the browser to that location. It is the tracking code
assigned by the ad serving network, which allows them to register a
user's click on that advertisement.
<EMBED src="ad_banner_example.swf?clickTAG= http://adnetwork.com/tracking?http://www.destinationURL.com" > ..."
The information was taken from Macromedia designer's guide:
Vulnerability details =====================
Vulnerability in the clickTAG field enables a remote user to run
therefore retrieve session information and possibly other sensitive
information. For example in the following script:
("XXXX" = arbitrary script or tag)
Replacing "XXXX" with a script to steal cookies will enable an attacker
to perform session hijacking if the session is saved in the cookie, or
to gain the private information present in ad tracking cookies.
To prevent session-hijacking, it is recommended to configure the flash
ads to run on a separate sub-domain. This will prevent session
hijacking, although it will not prevent privacy leaks pertaining to the
"A new player version is NOT required. Macromedia Flash advertisements
that accept clickTAGs need to validate that the clickTAG URL begins
with "http:". This helps ensure the clickTAG does not contain malicious
code." Quote from the official Macromedia security advisory.
We recommend that all user input should be filtered for malicious code
and characters and never trusted "as-is".
Macromedia has also revised the Designer's Guide and added this note:
"Note: The ActionScript in this Flash advertisement is verifying that
the clickTAG URL begins with "http:". This is an important security
measure. If you do not take this precaution, a malicious HTML page
could source your SWF and pass a clickTAG URL that begins with
ActionScript code were to call getURL with a maliciously crafted
HTML page to obtain the contents of your HTTP cookies or perform other
actions on your site's behalf."