Security vulnerability in Flex'es HTML component for Adobe AIR?

Apr 7, 2009

Tags: ,

Recently I was working on a project the required me to use the HTML component in Flex 3 which is an AIR only component that basically renders HTML using WebKit. Now as part of the HTML component you can access the dom through the htmlLoader property, but only if the HTML component is in the same security sandbox as the AIR application. Which isnt hard to get around, after the jump Ill walk you through this and explain why this can be helpful in the same way its bad.

Getting the HTML components contents into your applications security domain is as simple as setting the placeLoadStringContentInApplicationSandbox to true (which is probably not required). Once this is done you have full access to the DOM just like you where using JavaScript, which allows you to access form values and even submit the form. This of course is extremely useful especially when writing applications that require logging into a secure site. Which lets face it is not easy through script, but if you use the HTML component and what basically is JavaScript its really easy to do. For example say your trying to write an application in Flex 3 for AIR that retrieves someones friends list on VALVes Steam service. Yes you can use the XML feed of that persons profile but only if their profile is public and only their friends that also have public profiles. So to get around this you'd have to sign into the Steam community site first.

Using the HTML component you can simply tell it to goto which has the login form on the right. Using the exploit in AIR you can populate the required fields (including the captcha, which you can load into your front-end by getting its address from the HTML of the login page) with what the user enters in your front-end. Then all you have to do is target the form element (which is very easy) and call submit(). Then just listen for the page to load determine if they logged in successfully then go to their friends page. At which point you scrape the HTML from the page, which brings me to the malicious part of this feature. Using the methods above you could write a browser that would look for sensitive information in the page and abuse it. This brings me to the question is this an exploit or just a very powerful feature? Ill leave that for you to decide for now Ill just keep using this to build useful applications for my friends and family to use.

Posted in: Articles |