How love of music helped find vulnerabilities in Flash
On a warm winter evening, I sat at a computer and decided to relax by playing the piano. Since I do not have a piano or a synthesizer, I, using a search, started to search online for an online piano with examples for a conventional QWERTY keyboard.
The search led me to the forum page , where many online services were offered. Clicking on one of them and playing enough, I opened a new tab and began to write the address of the desired site. What was my surprise when, when entering the address, I heard the sounds of the piano.
Disbelieving, I tried to dial something else and heard the sound again. I started to figure out which program the sound is coming from, because I closed the page with the piano, but the page with the forum remained. At random, by closing several tabs, the source of the sounds was found. It turned out to be the Flash ZebraKeys piano posted in a forum post.
Realizing that this is a serious vulnerability. Began to try in other browsers (before it was in Oper'e ).
Check revealed:
Mozilla - the sound was published in all tabs, including when the focus is just on the page;
Chrome - only in the current tab and when the focus is in any Flash application on this page;
IE 9 - only in the current tab, including when the focus is just on the page.
')
Since this vulnerability could lead to the interception of personal data, including passwords, letters were written to Opera, Mozilla (in the Mozilla Security Bug Bounty Program) and Adobe. Since I do not speak English in spoken form, I used Google Translate.
Within a day, Opera first responded, thanking for the error found and correcting it in a short time, and switching me to a Russian-speaking employee to make it easier to convey thoughts.
Now Flash applications receive keyboard presses only when some Flash application is in focus, even in another tab. Split by tabs, as in Chrome can not, because Chrome has separate processes for each tab.
Mozilla answered later, saying that they could not repeat, describe which OS and plug-ins are installed. Having answered that Windows OS and such and such plug-ins, waited further for an answer, and was surprised to hear again, it is not possible to repeat the problem. Writing to them again that Windows OS, not Linux and Mac OS, finally heard the answer from Mozilla, that yes, we managed to repeat it, we tried it on other OS, tried it on Windows and heard the sound. Thanking for my perseverance and the found error, they also wrote that the bug is known (they brought the link) and this problem is already being solved. That is $ 3000 for the synthesizer of the Mozilla Security Bug Bounty Program I cannot see. Writing to them that the message about the vulnerability could themselves write, in hindsight. By the way, a little less than a month has passed and this vulnerability is present in the new Mozilla 9 and you can “play the piano right in the address bar”.
Adobe has not yet responded, although I wrote to the address that was difficult to find on the Internet, support [] adobe.com It may not exist, but the form for sending something was not found on the website without registration.
Vulnerability in one way or another is in all browsers on Windows, since Flash on this OS uses the Windows API instead of receiving keyboard events via the Browser Plugin API (NPAPI). There is a way to block key reading for all flash applications, but it is impossible to do this for individual applications. That is, either all flash applications will read the keyboard, or there will be none (thanks for these explanations to the Opera employee).
PS On that forum page there is an excellent piano , which will be interesting for people owning a ten-finger printing method, since there you can open simultaneously examples of melodies (which key on a regular keyboard to press) and the piano itself. Very comfortably. There are also many other examples in their Facebook group.
The search led me to the forum page , where many online services were offered. Clicking on one of them and playing enough, I opened a new tab and began to write the address of the desired site. What was my surprise when, when entering the address, I heard the sounds of the piano.
Disbelieving, I tried to dial something else and heard the sound again. I started to figure out which program the sound is coming from, because I closed the page with the piano, but the page with the forum remained. At random, by closing several tabs, the source of the sounds was found. It turned out to be the Flash ZebraKeys piano posted in a forum post.
Realizing that this is a serious vulnerability. Began to try in other browsers (before it was in Oper'e ).
Check revealed:
Mozilla - the sound was published in all tabs, including when the focus is just on the page;
Chrome - only in the current tab and when the focus is in any Flash application on this page;
IE 9 - only in the current tab, including when the focus is just on the page.
')
Since this vulnerability could lead to the interception of personal data, including passwords, letters were written to Opera, Mozilla (in the Mozilla Security Bug Bounty Program) and Adobe. Since I do not speak English in spoken form, I used Google Translate.
Within a day, Opera first responded, thanking for the error found and correcting it in a short time, and switching me to a Russian-speaking employee to make it easier to convey thoughts.
Now Flash applications receive keyboard presses only when some Flash application is in focus, even in another tab. Split by tabs, as in Chrome can not, because Chrome has separate processes for each tab.
Mozilla answered later, saying that they could not repeat, describe which OS and plug-ins are installed. Having answered that Windows OS and such and such plug-ins, waited further for an answer, and was surprised to hear again, it is not possible to repeat the problem. Writing to them again that Windows OS, not Linux and Mac OS, finally heard the answer from Mozilla, that yes, we managed to repeat it, we tried it on other OS, tried it on Windows and heard the sound. Thanking for my perseverance and the found error, they also wrote that the bug is known (they brought the link) and this problem is already being solved. That is $ 3000 for the synthesizer of the Mozilla Security Bug Bounty Program I cannot see. Writing to them that the message about the vulnerability could themselves write, in hindsight. By the way, a little less than a month has passed and this vulnerability is present in the new Mozilla 9 and you can “play the piano right in the address bar”.
Adobe has not yet responded, although I wrote to the address that was difficult to find on the Internet, support [] adobe.com It may not exist, but the form for sending something was not found on the website without registration.
Results
Vulnerability in one way or another is in all browsers on Windows, since Flash on this OS uses the Windows API instead of receiving keyboard events via the Browser Plugin API (NPAPI). There is a way to block key reading for all flash applications, but it is impossible to do this for individual applications. That is, either all flash applications will read the keyboard, or there will be none (thanks for these explanations to the Opera employee).
PS On that forum page there is an excellent piano , which will be interesting for people owning a ten-finger printing method, since there you can open simultaneously examples of melodies (which key on a regular keyboard to press) and the piano itself. Very comfortably. There are also many other examples in their Facebook group.
Source: https://habr.com/ru/post/135041/
All Articles