xbiz world
xbiz premiere

Flash Bug Prompts Calls for Code Rewriting

LOS ANGELES – According to Google, hundreds of thousands of vulnerable Flash files are currently on the Internet, including files found at a large number of major websites.

The danger stems from a Cross-Site Scripting (XSS) exploit of Shockwave Flash (SWF) files generated by most of the programs that create Flash applets that allows attackers to access data on targeted websites; such as usernames and passwords, or even performing unauthorized online banking transactions.

The problem may be particularly acute for adult website operators, who have increasingly made use of Flash technology in advertisements and video files and often rely on Adobe's popular DreamWeaver software for website development – one of the tools that generate the vulnerable files.

"If a web application is vulnerable to XSS, and an attacker lures a user of the vulnerable web application to click on a link, then the attacker gains complete control of the user's session in the web application," Google's Rich Cannings wrote. "The attacker can use JavaScript to perform any action on behalf of the user (for example, perform a transaction on an online banking system) or change the way the website appears to the user (for example, perform a phishing attack)."

While security experts have warned of additional vulnerabilities, the XSS exploit was made public after companies such as Adobe updated their software to eliminate the bug.

Now, experts are recommending that all existing Flash files be removed from websites until they can be regenerated with the newest versions of these tools to address the issue.

Cannings also recommends that SWF files be served from numbered IP addresses or from separate domains from the site that features the Flash files.

"If there's an issue on a bank, the impact of an XSS is pretty large," Cannings said. "In other words, it's a huge amount of work, but well worth it for trusted sites that want to remain that way."

Expanding on the causes of the vulnerability, Cannings reported that DreamWeaver's "skinName" parameter can be used to load URLs containing the "asfunction" handler; while Adobe Acrobat Connect makes files that do not validate the "baseurl" parameter, which can allow malicious scripts to be injected into targeted websites.

The complete report can be read here.

Related:  

Copyright © 2026 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More News

Arizona Governor Vetoes 'Protect Act' With New Consent Provisions

Arizona Governor Kate Hobbs on Friday vetoed HB 2133, the “Protect Act,” which would have imposed new requirements for adult content uploaded online.

Brazil Begins Monitoring 18 Adult Sites for AV Compliance

Brazil’s National Data Protection Authority (ANPD) is now monitoring 18 high-traffic adult websites for compliance with the country’s Digital Statute for Children and Adolescents (Digital ECA), which requires such sites to age-verify users located in Brazil.

Ofcom Fines First Time Videos $100,000 for AV Noncompliance

U.K. media regulator Ofcom on Thursday imposed a fine of 80,000 pounds (more than $100,000) against First Time Videos, which operates FTVGirls.com and FTVMilfs.com, for failing to implement age checks required for compliance with the Online Safety Act.

Curves Ahead: How BBW Creators are Turning Differentiation Into Competitive Advantage

For centuries, curves have been celebrated as a symbol of beauty, sensuality and power. From the soft opulence of Rubens paintings to the glamorous silhouettes of pinup icons, fuller figures have long occupied a place in art, fashion and fantasy.

Woodhull Freedom Foundation to Host Virtual 'Pride' Edition of 'Fact Checked' Series

Woodhull Freedom Foundation is hosting a Pride Month virtual edition of its series “Fact Checked by Woodhull.”

'InMelanin' Relaunches Through PAYSITE

InMelanin.com has officially relaunched through PAYSITE.

Pearl Industry Network Partners With Takedown Piracy

Industry trade group Pearl Industry Network (PiN) has officially partnered with Takedown Piracy.

Hollywood Reporter Spotlights XBIZ Miami in Feature on Fan Platforms

Last month's XBIZ conference serves as the setting for a new Hollywood Reporter feature examining the competitive fan platform market.

F2F, Image Angel Launch 'Forensic Watermarking' for Traceability

Friends2Follow (F2F) and Image Angel have partnered to launch a new traceability solution to combat unauthorized content sharing with the use of forensic watermarks.

EU Court: France Can Require Foreign Sites to Implement AV

The European Union’s Court of Justice ruled on Tuesday that France may require pornographic websites based in other EU states to implement age verification in accordance with French law, as long as France follows EU electronic commerce rules.

Show More