Xavier's Security Post
Monday, June 05, 2006
Your Space, My Flash, His Cookies
I've spent some time looking at Flash files, and the ActionScript code within, looking for vectors of attack. I've found that high profile sites the likes of MySpace, Xanga, and Google (the da vinco promotions) are quick to embed promotional Flash objects on their pages without proper assessment.
Imagine a situation where an advertiser creates a quick and almost seemingly innocent Flash animation, but inside in its Action frames there is something quite wrong. Now imagine the "wrong" I reference is actually the following:
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
The vulnerability above is not new, in fact the research was carried out by a firm called "Scan Security Wire" a few years ago. They discovered that advertisers were (and still are) using a simple click tracking mechanism. The code was widely distributed among advertiser sites and affiliates, the problem of course was that it was not properly evaluated. One has to wonder why even to this day, three years after the discovery and updated guide, high profile sites still fall prae to it.
Searching google for "clicktag" produces about thirty thousand pages. Some hits are caches of the vulnerability advisory, others are vulnerable sites, and the rest are advertisers showing clients how to create vulnerable clickTAG-style Flash files. Disinformation.
The following URLs are evidence that high profile advert networks and cooperations are spreading the vulnerability:
MSN, MSN #2 (.pdf), MSN #3, MSN #4, MSN #5, MSN #6, MSN #7, MSN #8, MSN #9, MSN #10, MSN #11
Yahoo (.pdf), Yahoo #2
Doubleclick, Doubleclick #2 (.pdf)
CNN
CNET (.doc)
VH1
CBS
FOX
Oxygen (.pdf)
Forbes
ifilm
MTV
NYTimes
Heise
OSTG / Slashdot (.pdf)
The high profile sites mentioned above are continuously propagating out-dated and vulnerable clickTAG code which will then spread through their advertisers. Those advertisers will turn around and upload their vulnerable .swf files to their web servers, or their marketing networks, and open up the XSS attack vector.
XSS (Cross Site Scripting) is not severe enough that you can execute remote commands on a server, but client-side it can be a mess. The Samy and GodOfTheNoose worms that spread to millions of users worldwide on MySpace (though malicious only in its infection and propagation) cost MySpace hours of work, a multitude of bandwidth costs (due to the spread) and presumably left a bad taste in the mouth of advertisers and cooperate owners of the site.
I've contacted MySpace recently concerning several XSS holes specific to the clickTAG vulnerability, same goes for Xanga. One has to assume a multitude of high profile sites are affected by this bug. Below are some Proof of Concepts of the attack mentioned in this post:
https://adwords.google.co.uk/select/imageguidelines.html ¶ 6/05/2006 06:11:00 PM 0 comments
Imagine a situation where an advertiser creates a quick and almost seemingly innocent Flash animation, but inside in its Action frames there is something quite wrong. Now imagine the "wrong" I reference is actually the following:
{The above code is executed when a user clicks on the banner, and clickTag (for example) is actually a variable with a value specified inside the site (usually something like: "http://adstracking.whatever.com/redir?url=http://ads.hatever.com/ads.aspx?ad=124"). It ends up opening up a vector of attack: Cross Site Scripting. It should be noted that in order for the XSS attack to occur, the victim must click on the image/ad once they've been redirected to the malicious URL.
getURL(clickTag, "_top");
}
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
The vulnerability above is not new, in fact the research was carried out by a firm called "Scan Security Wire" a few years ago. They discovered that advertisers were (and still are) using a simple click tracking mechanism. The code was widely distributed among advertiser sites and affiliates, the problem of course was that it was not properly evaluated. One has to wonder why even to this day, three years after the discovery and updated guide, high profile sites still fall prae to it.
Searching google for "clicktag" produces about thirty thousand pages. Some hits are caches of the vulnerability advisory, others are vulnerable sites, and the rest are advertisers showing clients how to create vulnerable clickTAG-style Flash files. Disinformation.
The following URLs are evidence that high profile advert networks and cooperations are spreading the vulnerability:
MSN, MSN #2 (.pdf), MSN #3, MSN #4, MSN #5, MSN #6, MSN #7, MSN #8, MSN #9, MSN #10, MSN #11
Yahoo (.pdf), Yahoo #2
Doubleclick, Doubleclick #2 (.pdf)
CNN
CNET (.doc)
VH1
CBS
FOX
Oxygen (.pdf)
Forbes
ifilm
MTV
NYTimes
Heise
OSTG / Slashdot (.pdf)
The high profile sites mentioned above are continuously propagating out-dated and vulnerable clickTAG code which will then spread through their advertisers. Those advertisers will turn around and upload their vulnerable .swf files to their web servers, or their marketing networks, and open up the XSS attack vector.
XSS (Cross Site Scripting) is not severe enough that you can execute remote commands on a server, but client-side it can be a mess. The Samy and GodOfTheNoose worms that spread to millions of users worldwide on MySpace (though malicious only in its infection and propagation) cost MySpace hours of work, a multitude of bandwidth costs (due to the spread) and presumably left a bad taste in the mouth of advertisers and cooperate owners of the site.
I've contacted MySpace recently concerning several XSS holes specific to the clickTAG vulnerability, same goes for Xanga. One has to assume a multitude of high profile sites are affected by this bug. Below are some Proof of Concepts of the attack mentioned in this post:
MySpace: #1, #2, #3, #4, #5, #6, #7, #8, #9It should be noted that Google, AOL, and Time (magazine), among others, seem to have directed their advertisers into the right direction by showing real-world examples of working examples that do not compromise their security. Example:
Yahoo: #1
Xanga: #1
https://adwords.google.co.uk/select/imageguidelines.html ¶ 6/05/2006 06:11:00 PM 0 comments