http://www.davidflanagan.com/blog/2005_12.html
December 05, 2005
Flash Persistence Security: false alarm, or lingering flaw?
Okay, I've done some more investigation. After Brad Neuberg reported (in the comments of a previous blog entry here) that he could not reproduce the security hole I report using his AMASS library, I tried myself. I couldn't reproduce it with AMASS either.
I think I've figured out what is going on. In my experiments with Flash persistence, I was using a little SWF movie that did nothing but load and store persistent data. When it started up, it would load the persistent data and pass it to JavaScript with an FSCommand. This is what opened up the hole: another webpage, in a different domain, could hotlink the SWF, setting allowScriptAccess=always, and still receive the FS command and the persistent data.
I modified my swf so that the FSCommand just notifies JavaScript that data is ready. Then the JavaScript code has to ask for that data with a GetVariable command. This seems to be more secure: according to the Macromedia website, the Flash player (in version 7 and later) doesn't allow cross-domain invocation of GetVariable and SetVariable. There might still be a problem here for player versions less than 7, but I think I can defend against that in the ActionScript code.
Note that when my SWF is hotlinked, it can access the shared data. All I've done is modify it so that it no longer exports the data. I argue that there is still a security flaw here. When my SWF is hotlinked by a different domain, it should not be able to access the persistent data at all. The security team at Macromedia might argue that the security hole was in my code, and that I created it with my ignorant use of fscommand().
My apologies for raising what may have been a false alarm.