Thursday, 25 June 2015

Eset.com Flash cross-domain policy

Just i was wandering around eset and i thought to lookup http://www.eset.com/crossdomain.xml and i was shocked to see this:

<?xml version="1.0" ?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
This means that any website can send requests to the website on the user's behalf, cookies and all, and read the response without issue. For most web apps, this is a huge security vulnerability.

I quick tried a POC which read all User's Eset licences and it worked!

Fix:
They completely removed the crossdomain.xml file and the issue was fixed.


Timeline:

Reported: Jun 21, 2015 at 8:38 PM
Fix Implemented Jun 24, 2015 at 12:22 PM

 Reward:
ESET Smart Security license and a  formal (PDF) acknowledgment.

The acknowledgment is as below:


Posted by at 1 comment:
Labels: , ,
Subscribe to: Comments (Atom)