|
Flash cookie-snatch investigated
Emberton, 6/11/2002 -
Various versions of Flash Player that support the getURL action can reportedly be used for cross-site scripting (XSS) exploits.
Here's the deal: sites often allow Flash movies to be uploaded, either at shared hosting locations or messageboards. Those movies can contain JavaScript code embedded in a getURL() that can reveal the contents of the cookie associated with that site. The point being that these same sites often restrict the use of regular JavaScript code because of the same issue, but trust Flash movies implicitly. The issue is fully described, complete with samples, at this site: http://eyeonsecurity.net/papers/ Thanks to Jan met Pet-Zonnet for providing this link.
| 
![[Valid RSS]](http://www.actionscript.com/archives/valid-rss.png "Validate my RSS feed"){kind=small}
