IV. Flash based XSSes on Youtube iframe api I’m happy that people found my previous posts on Youtube Flash vulnerabilities interesting, and I will keep posting new write-ups. This time I will disclose 3 Flash based XSSes on the new Youtube html5 api (with Flash fallback). Youtube html5 api is called Youtube iframe api, because… Read More

III. XSF via loaderinfo.url redefinition Let’s have a look at how the Main App loads the Modules : The url of the module is dynamically generated by the main app by using it’s own url (2) and replacing the filename (watch_as3.swf) by the module filename (subtitles.swf) (3). This allows to handle multiple versions on the… Read More

II. XSF via appLoader In Part 1, I introduced an information leakage vulnerability in Youtube. In this part I will disclose a more severe vulnerability that allows arbitrary Flash code execution in youtube.com. This type of vulnerability is very similar to XSS except we execute Flash code instead of Javascript. It is called Cross-Site Flashing… Read More

Why Flash Security still matters? Flash is still an active threat. In 2017, I reported Flash vulnerabilities to Facebook, Youtube, WordPress, Yahoo, Paypal and Stripe. Over the last 3 years, I reported more than 50 Flash vulnerabilities to Bug Bounty programs, earning more than 80k $ in rewards. And there are many more I didn’t… Read More