A Google researcher found that Microsoft’s Edge browser had a “secret list” of 58 sites that were allowed to run “Adobe Flash” content and that several sites on that list had known glitches that could allow a hacker to circumvent the general block existing in Flash since 2017 . After the complaint about the list being published, Microsoft cut the list and retained only two Facebook addresses.
Flash is a plugin – an out-of-browser program called to interpret certain web content. Flash is considered a web security risk: in addition to having vulnerabilities, it does not benefit from the protection measures taken by browsers to limit the impact of attacks that can install a virus on the computer by simply visiting a web page. For these reasons, and by the increasing abandonment of Flash, all browsers adopted a general block of content.
However, lists have also been adopted to allow some sites that are heavily dependent on Flash to continue to reproduce this content. The purpose of this is to ensure browser compatibility with these sites. Flash was especially used in browser games, animations and multimedia content playback.
In the list of Microsoft included sites such as Facebook, Deezer, a German TV, various game sites and music. The list was encrypted, which required the Google searcher to use a brute-force (trial and error) method to discover the addresses of authorized sites. Of the 58, 2 sites were not identified.
According to Google’s report on the case , however, some of the sites on the list had cross-site scripting (XSS) failures. These failures allow hackers to insert unauthorized content into web pages. While these failures pose no risk to the sites, they may falsify the content of the pages to a web surfer who clicks on a link provided by the hacker.
In practice, it would be possible, through a link, to tamper with the content of those pages and make them load any Flash file. Thus, a hacker who is interested in exploiting a vulnerability in Flash could send a link to Edge users and ensure that their file was read by the browser, despite the existence of the existing lock to avoid exactly that situation.
Flash must be permanently discontinued by Adobe by 2020. All Flash features – including animations, video and music – are now part of the web’s own technologies, which means that websites no longer need to call the plugin for this type of content. However, converting old content is not simple to perform.