Rosetta Flash: An Adobe Flash Exploit Leveraging JSONP Callback

By   ISBuzz Team
Writer , Information Security Buzz | Aug 27, 2014 06:03 pm PST

Steve Jobs always had a thing against Flash. Maybe it started when Adobe snubbed him in 1999, refusing to rewrite Adobe software for his new iMac operating system after he returned to Apple as CEO. He called Flash “a spaghetti-ball piece of technology that has lousy performance and really bad security problems.” Jobs refused to allow Flash to run on iPhones and iPads, and he banned apps from the App Store that used a compiler to run Flash code on iOS. Flash was “buggy,” a battery hog and made by “lazy” developers.

FREE Ebook: The Security Industry´s Dirty Little Secret

adobe_flashAdobe no longer supports the Flash player for mobile devices, having bowed to the inevitable supremacy of HTML5. However, the Flash Player plug-in still runs on desktop computers. In early July, Google security researcher Michele Spagnuolo developed a proof-of-concept tool called Rosetta Flash that used JSONP callbacks to extricate data using malicious Shockwave files (SWF). Rosetta Flash underscores the continuing need for comprehensive network security protection. Spagnuolo’s tool shows that although Steve Jobs attack on Flash was at least partially personal, he might have been right about its “really bad security problems.”

What Is JSONP Callback?

jsonp_callbackJSON, or JavaScript Object Notation, allows a set of information about a single object to be easily stored and retrieved. For example, a JSON variable about a person named Jasmine could store information about the person’s height, weight, hometown, age and gender. To retrieve the information, a simple name:value request, such as Jasmine:hometown, would extract Jasmine’s hometown and create an output.

JSONP callback allows a Web page to load JSON values from a website outside its domain. For example, to retrieve JSON information from another domain, someone inserts a script tag to bypass same origin restrictions. For example, a JSONP function could access photos from a photo-sharing site like Flickr and put them onto a photographer’s personal domain. JSONP callback is convenient and makes it easy for developers to share information across domains.

How Rosetta Flash Works

Security researchers had known for a long time that attackers could potentially manipulate JSONP callback. However, most large companies held off on developing mitigation methods until they saw a proof-of-concept, which Spagnuolo provided with Rosetta Flash. Rosetta Flash converts binary components of a SWF file into alpha-numeric components. Flash then allows the alpha-numeric bytes without interference, which allows a malicious SWF file to be hosted on a vulnerable domain.

When the vulnerable domain uploads the malicious Flash file, the attacker can cause use browser cookies contained on a user’s computer to make authenticated data requests even though the user doesn’t know that the attack is happening. The data is then extracted and sent to an attacker-controlled domain. The attack, according to Spagnuolo, looks something like this:

1.) Attacker sets a callback domain. In the first bytes of output from the JSONP API endpoint, the attacker specifies the callback parameter.

2.) Code is executed as Flash. The attacker uses an <object> tag to embed the malicious SWF file into a vulnerable domain. The domain will then execute the file as a Flash file.

3.) Data is taken using GET and POST commands. The attacker gains control of the victim’s browser cookies and uses GET and POST commands, armed with authentication information stored in the cookies, to extract data.

Who Is Vulnerable?

vulnerableMany large players have already fixed their JSONP callback vulnerabilities. These domains include eBay, Twitter, Google, Instagram, Tumblr and Olark. Adobe has also issued a Flash update to address the vulnerability. Graham Cluley points out that when users try to download the latest Adobe Flash Player, the software tries to bundle a security suite in with the download. He suggests opting out of the added download when getting the latest version of Flash Player.

Many cyber security companies have warned about the dangers of cyber attacks on small businesses and individuals. Researchers like Spagnuolo, who won a $3,000 Internet Bug Bounty from HackerOne for his work, try to find vulnerabilities before attackers can pinpoint and exploit them. It’s important to note that criminals haven’t been using Rosetta Flash to steal sensitive data in the wild. It’s a white hat piece of malware developed while researching vulnerabilities in the “spaghetti-ball piece of technology” that is Flash.

Adobe Flash screenshot image by Duncan Hull from Flickr Creative Commons