Flash clickTAG parameter XSS. Banks, e-shops, Adobe and others vulnerable

Written by DP

Tuesday, 12 May 2009

Hundreds of thousand websites host vulnerable Flash files which can be exploited by malicious people to conduct convincing phishing and XSS attacks. In most cases cookie hijacking is possible. Unsuspecting users can be redirected from trustworthy  SSL and non-SSL sites to malware, adware and spyware sites.

The clickTAG= parameter dynamically passes a click through URL to a Flash movie as a "key-value", using a GET method (within the URL). It is used by many adserving companies.


It has to be properly checked before executing getURL(clickTAG), otherwise a malicious user can perform XSS attacks on the domain hosting the SWF file.

Flash files with "_blank" target in getURL(_root.clickTAG, "_blank"); do not allow cookie hijacking and do not work in IE.

This google dork reveals about 200000 results of possibly vulnerable SWF files:
inurl:clickTAG filetype:swf

(and these are just the indexed ones in Google, in fact there are hundreds of thousand more).

Adobe recommends to ensure that clickTAG begins with http: before executing getURL(clickTAG):

if (clickTAG.substr(0,5) == "http:") {

In order to avoid redirects to third party sites hosting malicious scripts, it is better to ensure that it begins with http(s)://

Quite an irony that SWF hosted on is vulnerable (reported by Hexspirit): SWF XSS Mirror (SSL)

The SSL e-banking site of greek Marfin Egnatia Bank is also vulnerable (reported by Hexspirit): SWF XSS Mirror (SSL) SWF XSS Mirror (SSL)

This is critical as it can be exploited by fraudsters to conduct phishing attacks against their e-banking customers.
Anyway, it is hard to access the e-banking platform because a special token from a security device is needed (Verisign, Vasco etc).

A famous greek technology e-shop too (reported by Hexspirit): SWF XSS Mirror (SSL)

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.