Flash as spyware

Paul Lussier p.lussier at comcast.net
Tue Mar 28 22:34:01 EST 2006


Bill Sconce <sconce at in-spec-inc.com> writes:

> (Did anyone here know that installing Flash gives websites the
> ability to write to and read from your hard disk?  I didn't.)

Yup, discovered it when I was debugging why flash wasn't working for
some inexplicable and long since forgotten reason.  But if you watch
/tmp when you click on a flash widget to load it, you'll see a new
file pop into existence, which you can the copy off and run whenever
you want :)

But this is nothing new.  Websites have always had the ability to
write to local disk, you're browser does that for them, how do you
think your .[mozilla,galeon, whatever]/cache directory fills up with
so much crap?  You tell your browser to go download all that crap at
somepoint...  From there it's trivial to craft a website to stick
things in different locations based on the OS type *your* browser
communicates to the server.  When you connect, you open a socket, the
server is at the other end, it now just needs to stuff things down
that pipe and ask your browser to deposit it somewhere on your system.

How do you think all those ActiveXploits work :)

-- 

Seeya,
Paul



More information about the gnhlug-discuss mailing list