A serious exploit making use of an age-old Adobe Flash exploit can expose the data of millions of end users on popular websites like eBay, Tumblr and Instagram among others. Ars Technica reports that this information was revealed by a security researcher who is an industry expert in these matters.
The attack relies on the fact that the binary contents of an Adobe Shockwave (swf) file can be converted into an equivalent file based solely on alphanumeric characters. Ars Technica notes that the conversion compresses the swf file, enabling to work with websites that use a technique known as JSNOP - OR JSON with padding. JSNOP allows these websites to set browser cookies and perform other tasks.
A proof-of-concept tool, 'Rosetta Flash', embeds malicious commands into the duplicated swf file which contains only alphanumeric characters. These malicious swf files can use the visitor's Flash application to send Web requests that can access authentication cookies and other files set by other websites that use JSONP.
Google and Twitter were also susceptible to this exploit until recently, when they patched the website. A spokesperson from Tumblr also informed Ars Technica that the website has been patched. In fact, Adobe has already released a Flash Security Update to mitigate the exploit. While users might take time to install the fix, the engineer has suggested that large websites make server-side changes that will minimise the damage attackers can inflict on visitors. It is advised that website operators should avoid using JSONP on sensitive domains. The common identifier assigned to the exploit is CVE-2014-4671.