Scanning Adobe Flash Files with SWFScan

I was lucky enough to attend the 1st ever Thotcon on Friday. There was a pretty good gathering with talks ranging from GNU Radio Hacking, to Computer Forensic Tool Failures, to Social Engineering (which is usually my personal favorite). One of the talks that really stuck out to me was titled Dr. Evil’s Guide to Web 2.0 given by Rafal Los. Rafal demonstrated a tool called SWFScan available from HP. By using this tool, a prospective attacker could download a flash app, decompile it, and analyze the code for possible security holes. Sounds like any other client server attack tool, right? It is, but the REALLY interesting part is how careless “developers of flash sites” are with giving database credentials and other sensitive information directly in the code.

Rafal did a good job in pointing out that the majority of people using Flash are marketing people with just enough technical knowledge to use Flash to create web sites. The flash tools make it very simple for them to drag and drop objects on a screen, while not paying any attention to or keeping in mind any potential security vulnerabilities of allowing the client access to the compiled code. Furthermore, when a database is involved, you are basically giving the client the digital keys to the castle without even thinking about the implications.

Before the talk, Rafal had told attendees of the conference (via Twitter) to bring their laptops to participate in a “game” during the talk. At the beginning of his talk, he told everyone to download the SWFScan tool and start searching for vulnerable flash files. I was in the audience sitting very close to a guy who pointed out a website where a login and password with what appeared to be Administrative credentials could clearly be read in the decompiled flash code. It took the guy about 20 minutes to find this. Also, during the talk someone else found a website making open-ended database calls to a webservice, through unencrypted HTTP, within the flash code, described here in this article written by Rafal. I was absolutely sold on this being a massive problem after I heard all this.

I really wish this was difficult for someone to do… I really wish I could say that only someone with solid technical knowledge of Flash could perform theses attacks… Unfortunately, as Rafal pointed out in his talk, anyone who downloads a Flash decompiler tool, knows how to do a Google Search, and can READ can perform an attack on a vulnerable Flash site. A couple months back, I saw a Slashdot article that stated: “Adobe Flash To Be Top Hacker Target in 2010”. After Rafal’s talk, I would agree with that assessment. If you run any flash on your website, I would HIGHLY recommend that you download the tool and analyze the code for any potential security issues.

BTW, props to Rafal Los, all the other speakers at Thotcon, and the guys that organized the conference. You guys were awesome! Furthermore, it was great to finally see a hacking conference in Chicago. We were long overdue!