Cross-Site Scripting through Flash in Gmail Based Services

Background I recently discovered a cross-site scripting through Flash issue in Gmail. Not only did it expose Gmail users to full account hijacking, but it also exposed corporate users that rely on Gmail through the Google Apps initiative. Technical Details Gmail uses a Flash movie, named uploaderapi2.swf, for file upload operations. A short investigation revealed that it used two user-input parameters (‘apiInit’ and ‘apiId’) as parameters to ExternalInterface.call(), a class that is used for interaction between Actionscript and the flash player container (a hosting HTML page in the case of browsers).
var flashParams:* = LoaderInfo(this.root.loaderInfo).parameters;API_ID = "apiId" in flashParams ? (String(flashParams.apiId)) : ("");API_INIT = "apiInit" in flashParams ? (String(flashParams.apiInit)) : ("onUploaderApiReady");......if (ExternalInterface.available) { ExternalInterface.call(API_INIT, API_ID);}
.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, "Courier New", courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { (continue reading...)