Skip to content ↓ | Skip to navigation ↓

An old Adobe vulnerability patched in 2011 has been allowing attackers to compromise user data of many high-profile websites, including three of Alexa’s top 10 most visited sites.

Application security researchers Luca Carettoni from LinkedIn and Mauro Gentile from Minded Security recently presented their findings regarding the CVE-2011-2461 bug, which affected previous releases of Adobe’s Flex Software Development Kit (SDK).

“The particularity of CVE-2011-2461 is that vulnerable Flex applications have to be recompiled or patched; even with the most recent Flash player, vulnerable Flex applications can be exploited,” explained the researchers in a blog post.

According to Carettoni and Gentile, as long as the Flash file was compiled using a vulnerable Flex SDK, attackers can still leverage the flaw against the latest web browsers and Flash plugin.

By locating SWFs hosted on top trafficked websites, and analyzing the files using a custom tool to detect vulnerable code patterns, the team found that numerous websites remained vulnerable to potential attacks, including Google, Yahoo, Salesforce and Adobe.

The researchers noted that while attackers can steal victim’s data using Same-Origin Request forgery and perform actions on behalf of users via Cross-Site Request Forgery, they would first need to convince users to visit a malicious site.

“Practically speaking, it is possible to force the affected Flash movies to perform Same-Origin requests and return the responses back to the attacker. Since HTTP requests contain cookies and are issued from the victim’s domain, HTTP responses may contain private information including anti-CSRF tokens and user’s data.”

Carettoni and Gentille added they have been working to privately disclose the issue to popular websites during the past months, and have released their SWF test tool – ParrotNG.

To mitigate the issue, admins are advised to recompile SWF files using the latest Apache Flex SDK, patch them with the official Adobe patch tool, or simple delete them is no longer used.

Caretonni and Gentile’s analysis is detailed in their presentation slide deck below: