Twitter disables Flash feature after security researcher revelations

According to Mike Bailey, a senior analyst with Foreground Security, the problem has been known about since 2006, but whilst Adobe has issued alerts about the flaw, not all websites have acted on the issue.

The Reuters newswire quotes Biz Stone, Twitter's co-founder, as saying that Twitter  "had temporarily cut off access to a feature that lets users display Twitter updates on their websites by using Flash technology."

"Our team has disabled the Flash widget while we look into the problem", Stone said in an email.

Bailey said his security analysis of the Twitter site showed that it could have been vulnerable to attacks for more than a year, but that it was impossible to know whether hackers had actually exploited the Adobe flaw.

The security researcher is scheduled to talk about his research on the Twitter flaw at the next Black Hat security event, which opens in Washington, DC, on February 2.

When the story broke on Friday afternoon in the US, Adobe responded relatively quickly to various newswire reports, most notably on to an in-depth story on the site.

In his response on the site, Bailey said that: "Flash's handling of potential code is clearly MUCH more permissive than Javascript's."

"This makes it far easier to upload an object to a webserver – a Flash file can look like anything to the server and still be executable, as long as it starts with the right sequence of byte", he said.

"In many cases, simply changing the file's extension is enough to bypass upload restrictions. In other cases, you have to get crazy with it, but as noted in the original post, the entire ZIP family of files can have a SWF embedded in them while still being valid."

"Checking whether the file is a valid ZIP file will do you no good. The only way to be sure that the file does not contain a SWF is to specifically look for a SWF header. Any security professional will tell you that a technology that requires a blacklist approach to input validation is poorly designed."

According to Bailey, the solutions for a site security administrator are not easy to implement, with the best option being to place all the user-generated content on a separate server.

"For large web applications, this is probably already happening. But do you think that every rebuilt forum, ecommerce, blog, and gallery application out there is going to get redesigned to fix Flash's problem? Do you think the hobbyists and mom-and-pop shops are going to set up a separate server for holding this content", he said.

Bailey is also scathing in his analysis of Adobe's response to the news reports of the Twitter problem:

"By their own definition, Flash's policy does not work. Adobe's response is dead wrong."

What’s Hot on Infosecurity Magazine?