If you get a notification today to update your Flash player it would probably be a good idea not to ignore it. A major security flaw has been patched through the update, which if exploited, has the potential to expose authentication credentials of end users when they visit popular websites such as Tumblr, Instagram, eBay and many more. Basically the attackers would be able to steal cookies that authenticate users.

Michele Spagnuolo, a security blogger, said that this exploit has been pretty well known in the infosec community but no tools have been made public as yet to exploit this flaw as there was no proof of concept that showed the exploit to work. This led website owners “and even big players in the industry” to hold off on any mitigation unless there was credible proof of concept.

So Spagnuolo came up with Rosetta Flash, a tool that capitalizes on this exploit to capture cookies with authentication credentials. Soon after the proof of concept Adobe pushed out an update for Flash to mitigate risk however since it will probably take all users more than a few days to jump on this update, engineers at major websites have been advised to make server-side changes to minimize any damage.

Google, Twitter and Tumblr have already patched things at their end and its likely that the others will follow suit soon as well.

Filed in Web. Read more about Flash.

Related Articles
User Comments