[NEWS] Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach

From: support@securiteam.com
Date: 04/13/03

  • Next message: support@securiteam.com: "[REVS] Protection against Exploitation of Stack and Heap Overflows" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 13 Apr 2003 20:21:16 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach
    ------------------------------------------------------------------------

    SUMMARY

    "Over 497 million Internet users now use Macromedia Flash Player to
    seamlessly view content created with Macromedia Flash, the solution for
    developing rich Internet content and applications."

    A vulnerability discovered in Macromedia Flash ad user tracking field
    allows a remote user to perform Cross-Site-Scripting attacks and retrieve
    session information.

    DETAILS

    About the 'clickTAG' option:

    Macromedia flash supplies user-tracking field to swf (flash movies) ads:
    "The clickTAG is the tracking code assigned by the ad serving network to
    an individual ad. The clickTAG allows the network to register where the ad
    was displayed when it was clicked on. This click through data is reported
    to the ad serving servers so advertisers may determine the effectiveness
    of their campaign.

    The code below will allow ad serving networks to dynamically assign a
    clickTAG to their ad.

    In this example, a getURL action is being assigned to a button that will
    navigate the browser to ["clickTAG"]. The "getURL(clickTAG)" statement
    appends the variable data passed in via the OBJECT EMBED tag and navigates
    the browser to that location. It is the tracking code assigned by the ad
    serving network, which allows them to register a user's click on that
    advertisement.

    <EMBED src="ad_banner_example.swf?clickTAG=
    http://adnetwork.com/tracking?http://www.destinationURL.com" > ..."

    The information was taken from Macromedia designer's guide:
     <http://www.macromedia.com/resources/richmedia/tracking/designers_guide/>
    http://www.macromedia.com/resources/richmedia/tracking/designers_guide/

    Vulnerability details:

    Vulnerability in the clickTAG field enables a remote user to run malicious
    javascript code in the context of the remote web site, and therefore
    retrieve session information and possibly other sensitive information.
    For example in the following script:
    http://www.example.com/victim.swf?clickTag=XXXX
    ("XXXX" = arbitrary script or tag)

    Replacing "XXXX" with a script to steal cookies will enable an attacker to
    perform session hijacking if the session is saved in the cookie, or to
    gain the private information present in ad tracking cookies.

    Solution:

    "A new player version is NOT required. Macromedia Flash advertisements
    that accept clickTAGs need to validate that the clickTAG URL begins with
    "http:". This helps ensure the clickTAG does not contain malicious code."
    Quote from the official Macromedia security advisory.

    We recommend that all user input should be filtered for malicious code and
    characters and never trusted "as-is".

    Vendor status:
    We would like to thank Macromedia for its prompt response and cooperation
    for solving this issue.
    Macromedia quickly acted to notify possibly affected sites and has
    released an official security announcement, which can be found at:
     
    <http://www.macromedia.com/support/flash/ts/documents/clicktag_security.htm> http://www.macromedia.com/support/flash/ts/documents/clicktag_security.htm.

    Macromedia has also revised the Designer's Guide and added this note:
    "Note: The ActionScript in this Flash advertisement is verifying that the
    clickTAG URL begins with "http:". This is an important security measure.
    If you do not take this precaution, a malicious HTML page could source
    your SWF and pass a clickTAG URL that begins with "javascript:" or another
    scripting pseudo-protocol. If your ActionScript code were to call getURL
    with a maliciously crafted JavaScript URL, it would be possible for the
    site serving the malicious HTML page to obtain the contents of your HTTP
    cookies or perform other actions on your site's behalf."

    ADDITIONAL INFORMATION

    The vulnerability was reported by Scan Security Wire
    <http://www.scan-web.com> http://www.scan-web.com.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: support@securiteam.com: "[REVS] Protection against Exploitation of Stack and Heap Overflows"