4 items tagged “swf”
2009
flXHR. I was looking for something like this recently, glad to see it exists. flXHR is a drop-in replacement for regular XMLHttpRequest which uses an invisible Flash shim to allow cross-domain calls to be made, taking advantage of the Flash crossdomain.xml security model.
Facebook and MySpace security: backdoor wide open, millions of accounts exploitable (via) Amazingly, both services had wide open holes in their crossdomain.xml files. Facebook were serving allow-access-from-domain=“*” in the crossdomain.xml file on one of their subdomains (a subdomain that still had access to the user’s profile information) while MySpace were opting in farm.sproutbuilder.com, a service which allowed anyone to upload arbitrary SWF files.
2008
Adobe and Industry Leaders Establish Open Screen Project (via) Talk about burying the lede... the real story is that Adobe are going to drop the license restriction that prevents other people from implementing SWF players. They’re also publishing the AMF and Flash Cast protocols and removing licensing fees for Flash Player on devices.
2006
How the myspace SWF hack worked. If Flash is a vector for XSS, is this the end of Flash badges?