Skip to Main Content
It's actually possible to make a Flash file only made of printable characters.

Understanding the Rosetta Flash vulnerability

Rosetta is a new way to create Flash files, which made possible a new kind of vulnerability affecting many websites, including very popular ones.

(a browser, with a tab open on LinkedIn)Scenario: you’re using (for example) LinkedIn…

(a Malicious website is opened on another tab)…but you accidentally visit a malicious website…

(a malicious website wants to take over your LinkedIn account)…that wants to take over your LinkedIn account.


It’s common for any website to be able to receive some information from other external websites: for example, it’s used by the “Like” buttons (Facebook, Twitter, Google+…) you see often on other external websites. A common method to receive information is to do a request to the target website, and give as a parameter your own function, that will be called back by the target, and will receive JSONP (JavaScript Object Notation with Padding) formatted data. It’s commonly called a JSONP request.


 

(a request, with a Malicious() function as a callback parameter)The malicious site can do a JSONP request to LinkedIn, and give its Malicious() function to call back, as a callback parameter.(LinkedIn calls back the Malicious() function, with JSONP-formatted data)

LinkedIn then returns the JSONP-formatted data by calling Malicious() (in the context of the malicious page).

Malicious() can only read the information that LinkedIn sends: it can’t modify information and it can’t control what is sent. This explains why JSONP requests are commonly used, even if it could look an information leak: when implemented correctly, it’s not a security risk in itself, because external websites can’t control the information that is sent. But if a Flash file was passed as a callback parameter instead of a function like Malicious(), it could have more control, because it could be executed by the browser in the context of the target site (and if you’re wondering why, that’s just because that’s how Flash works). To prevent that, JSONP requests only accepts printable characters in callback parameters

._0123456789 abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ

A Flash file usually contain many non-printable characters.and a Flash file usually contain many non-printable characters, so they can’t be used as a callback parameter.


Enters the Rosetta Flash vulnerability, known as CVE-2014-4671. It's actually possible to make a Flash file only made of printable characters.With complex tricks, it’s actually possible to make a Flash file made only of printable characters. (a malicious website does a request with a Rosetta-encoded Flash as parameter)By using such a Flash file as a callback parameter, (the Rosetta-encoded Flash is executed in the context of LinkedIn, giving control to the malicious website)the Flash file is executed by the browser, in LinkedIn’s context: this gives control to the malicious website over the LinkedIn page’s information. It affected many major websites:

LinkedIn, eBay, Google, Instagram, Twitter, YouTube, Baidu, Tumblr, Flickr, Yahoo!


A simple way to prevent this for a website is to prepend a comment (such as /**/) at the start of the callback parameter: this will prevent the callback parameter to be interpreted as Flash, as Flash files are not allowed to start with comment characters, even with Rosetta.

Avira, a company with over 100 million customers and more than 500 employees, is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than 25 years of experience, the company is a pioneer in its field.