Flash Insecurity Article
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
Flash Insecurity Article
by Judith Dinowitz
::
Rate this Message:
This just came through in my google news alerts. The IT Observer article is dated today but then the "full article" (on ActionScript.com) seems to have been written in 2005, so they were recycling old content. The topic here is SQL injection attacks on Flash... Of course, SQL injection is not a new thing to those of us in the ColdFusion world but my question is: Is the information in this article accurate? Are they overreacting? It says that SWFs can be decompiled and the ActionScript read. This means you shouldn't put sensitive data into your ActionScript.
This was the Google link: http://www.it-observer.com/news/6554/flash_insecurity/ Here is the original article from ActionScript.com: http://www.actionscript.com/Article/tabid/54/ArticleID/flash-insecurity/Default.aspx Comments, anyone? Judith ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:30:148 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/30 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:30 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.30 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54 |
|
|
Re: Flash Insecurity Article
by John Dowdell-2
::
Rate this Message:
Judith Dinowitz wrote:
> http://www.it-observer.com/news/6554/flash_insecurity/ > ... Comments, anyone? It's true that code sent to the client can be examined, so hiding password data in a SWF would be inadvisable. I'm not sure which other parts you're seeking comment on... when the writer takes the time to tell us "The very term Flash Security is an oxymoron. Anything running on the client-side is inherently insecure," then I wonder what he thinks of a static page, or a JavaScript rollover. (The wording is imprecise....) .... hmm, but the text at it-observer.com is actually Satori's text, from a year ago last April. Is this a real website, or just another automated copy site to collect advertising revenue? From spotchecks on other articles listed there it looks like they're just republishing existing web content, without credit to the authors... is the surface impression untrue, or is the exploit actually within this website...? jd -- John Dowdell . Adobe Developer Support . San Francisco CA USA Weblog: http://weblogs.macromedia.com/jd Aggregator: http://weblogs.macromedia.com/mxna Technotes: http://www.macromedia.com/support/ Spam killed my private email -- public record is best, thanks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:30:149 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/30 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:30 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.30 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54 |
|
|
Re: Flash Insecurity Article
by Judith Dinowitz
::
Rate this Message:
John,
When I see something come across Google News, my first thought is whether this is grist for the Adobe/ColdFusion News Brief pieces that Ryan Hartwich writes for Fusion Authority, or the starting-point of a possible article for FA. I figured I'd ask the ColdFusion-Flash list what they thought of it. What bothered me about this article was the very text you cited below, and the idea that this was written a year ago and for some reason pushed forward by IT-Observer now. Thanks for your comments... This does seem like more hot air than actual substance. Judith ----- Original Message ----- > It's true that code sent to the client can be examined, so hiding > password data in a SWF would be inadvisable. > > I'm not sure which other parts you're seeking comment on... when the > writer takes the time to tell us "The very term Flash Security is an > oxymoron. Anything running on the client-side is inherently insecure," > then I wonder what he thinks of a static page, or a JavaScript rollover. > (The wording is imprecise....) > > .... hmm, but the text at it-observer.com is actually Satori's text, from > a year ago last April. Is this a real website, or just another automated > copy site to collect advertising revenue? From spotchecks on other > articles listed there it looks like they're just republishing existing > web content, without credit to the authors... is the surface impression > untrue, or is the exploit actually within this website...? > > jd ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:30:150 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/30 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:30 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.30 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54 |
|
|
Re: Flash Insecurity Article
by John C. Bland II
::
Rate this Message:
Ok...this article is pure crap, IMHO. :-)
Flash Remoting security is purely based on the backend security. You can run it over HTTPS but it can still be peaked into by ServiceCapture (at least the docs say so; which isn't a plus for anyone) but having someone enter the 1=1 hack or anything else on a textfield inside of Flash (that gets submitted to a db that is) will get nothing but a string inserted into the database simply because a simple cfqueryparam will stop all the madness. The funniest part was about shared objects. That was hilarious. I guess some people do weird things that he has seen and I'm just blinded but who uses an SO for highly sensitive data AND how can you attack a server via an SO? It all goes back to simply validating your data, which he did say. The bottom line is, Flash isn't Alcatraz but even Alcatraz had security issues. The things he points out are definitely fluff and nothing more. Flash is as secure as the developer using it and with a bad developer is still more secure than JS, IMO. On 7/4/06, Judith Dinowitz <jdinowit@...> wrote: > > John, > > When I see something come across Google News, my first thought is whether > this is grist for the Adobe/ColdFusion News Brief pieces that Ryan > Hartwich > writes for Fusion Authority, or the starting-point of a possible article > for > FA. I figured I'd ask the ColdFusion-Flash list what they thought of it. > > What bothered me about this article was the very text you cited below, and > the idea that this was written a year ago and for some reason pushed > forward > by IT-Observer now. > > Thanks for your comments... This does seem like more hot air than actual > substance. > > Judith > ----- Original Message ----- > > It's true that code sent to the client can be examined, so hiding > > password data in a SWF would be inadvisable. > > > > I'm not sure which other parts you're seeking comment on... when the > > writer takes the time to tell us "The very term Flash Security is an > > oxymoron. Anything running on the client-side is inherently insecure," > > then I wonder what he thinks of a static page, or a JavaScript rollover. > > (The wording is imprecise....) > > > > .... hmm, but the text at it-observer.com is actually Satori's text, > from > > a year ago last April. Is this a real website, or just another automated > > copy site to collect advertising revenue? From spotchecks on other > > articles listed there it looks like they're just republishing existing > > web content, without credit to the authors... is the surface impression > > untrue, or is the exploit actually within this website...? > > > > jd > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:30:151 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/30 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:30 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.30 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54 |
| Free embeddable forum powered by Nabble | Forum Help |
