NEWS: Google Engineer Releases Hacking Tool

If you have the Flash plugin on your PC and you visit any website that uses the API, you might want to check if you’ve updated it lately, as Google security engineer Michele Spagnuolo has recently discovered a vulnerability in the API, and has released an exploit tool called the Rosetta Flash, which is designed to take advantage of said exploit by creating malicious shockwave files (*.swf files), which can allow the author to gain access to authentication cookies stored in an individual’s PC.

Logo Google 2013 Official

The issue is labeled with the Common Vulnerabilities and Exposures Identifier of CVE-2014-4671, and is described as a cross-site request forgery (CSRF) bug. What this means is that the SWF can be embedded on any random website, and any visitor with an out of date Flash plugin will be vulnerable to getting their login information for various sites pilfered. Flash is very common on the web, and there’s very little chance that you haven’t browsed any site that uses it in the last 24 hours. EBay, Instagram, Tumblr, even Facebook and Youtube all use some form of Flash in one way or another.

Click here and try Prestige Technologies’ 6 months free hosting. No Credit Card required.

Now, Spagnuolo alerted his employes – Google – first, so Google already fixed their biggest services that would have been vulnerable to the exploit, and he also notified Adobe’s Product Incident Response Team, resulting in Adobe releasing several new patches addressing the issues. That doesn’t absolve the user of responsibility, though. You need to ensure that you’re protected on your end, as Flash is so ubiquitous that you’re likely to find a service or site that hasn’t updated on their end (or even a site that is purposely using a malicious swf file designed to exploit the bug.)

If you’re using Google Chrome or IE 11, you don’t have to worry as both browsers embed the Flash API into their program and have already patched the vulnerabilities (this is assuming you don’t decline or disable their update prompts.) For users of other browsers – which usually rely on plugins to provide Flash support, you need to update manually by going to Adobe Flash’s website (or through the program’s entry on Windows’ Control Panel.)

Leave a Reply

You must be logged in to post a comment.