Nerdbucket Blog!
Leave Comments
Contact Me
Nerdy Links
Privacy Policy

Member Area:
Member FAQ
Log In

Jump To Section:
The Target
Shallow Theft
Is It Fixable?
Geeky Details

Part IV: Spamming and security alerts!

A flash-based app is inherently insecure. By creating one, the designer is taking a risk every time he puts in a feature that he doesn't want the average person to know about when they see the flash application. In the case of a game, a player with knowledge can reverse-engineer the game and change rules. Imagine playing pacman in flash with infinite lives, or submitting an unbeatable high score for a flash game contest of some sort. With flash apps and a little knowhow, it's possible to do these things and more.

In most cases, it's really not a big deal. The flash recipient isn't likely to spend the time to reverse-engineer the app, because it's unlikely to yield much. In most cases, it's temporary fame on an unknown website... imagine cheating at Skwerl Invaders here on The only people likely to care are the cheater and me!

Side note: Some apps truly have to be secure. For these cases, it's rare that all the logic is kept in the flash file. More often than not, the flash will merely act as a presentation layer for an app that calls server-side programs, and it's those programs that do the real work. So why doesn't Winklet do this? Simple - they sell a very simple web site. That flash app is entirely about presentation, and not about complex data modeling on a database server somewhere. They simply don't have anything that would make sense to break out. Except, perhaps, for their email system...

Emailing is the one thing some winklets will do, but will use a special server-side script to do it. It's not in the easily disassembled flash code... but it's still very insecure because of the nature of the template. One website template is going to behave very much like another. In the case of winklets that support it, they use a standard email.php or email.asp script that takes standard parameters and generates an email from those parameters. In order to be generic, these scripts allow for a great deal of exploitation.

Download a template that has some kind of email support. One of the ones I know of offhand is "High Tech 021". It has a "newsletter signup" section which alerts the site owner that somebody new wants a newsletter. Two scripts, email.php and email.asp are included in the site, and are the crux of the problem. If I find somebody using this template, I can easily create a little web page that lets me pretend to be the flash app, and send emails as if I were the website owner. The ramifications here are pretty mild, as the script won't allow me to do a whole lot other than be a nuiscance. But it could allow for basic spamming - in email.php, you could set the "Name" field to a something like <img src="" />. By setting the "recipient" field to a random target, I'm sending an awkward, but fairly effective, spam campaign. What's more, it's a campaign that's very difficult to trace, since the emails aren't coming from me. Throw in an anonymous proxy, and I'm the stealthiest spammer ever.

My point here is simply this - any flash app that inherently needs to hide things is going to have some trouble. But a flash app sold as a template will never hide anything, because dedicated people can get a hold of the template and see not only the flash front-end, but also any server-side scripts being used. This knowledge is almost always able to be put to malicious use. Sending anonymous emails is only one of many potential problems you could run into. A clever combination of information gathering, knowledge, and dedication could allow somebody to use your config files and scripts to do some pretty dangerous things. 100 Hot DVDs