Today, I want to share one of my findings from 2013, which is an XSS vulnerability in a Flash file used by many popular websites. The Flash file was called sIFR (Scalable Inman Flash Replacement).

How did I find it? Until today, I thought I was the first to report this issue. In fact, it is an old bug that has a CVE (read more). Let’s discuss what I found. As I was looking for a bug in Adobe, my browser directed me to:

http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=ADOBE%20PHOTOSHOP%20CS3&textcolor=

The txt parameter was simple text. The textcolor parameter accepted an HTML color code.I changed ADOBE PHOTOSHOP CS3 to XSS.

The page displayed XSS. I used the txt parameter to show our text, so I replaced it with an XSS payload:

http://wwwimages.adobe.com/www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=<a href="javascript:alert('Xssed by Abdullah')">xss</a>

It worked! Plust I noticed something in the URL. It looked like a file path in www.adobe.com, so I deleted the wwwimages.adobe.com/ from the URL and navigated to:

https://www.adobe.com/lib/com.adobe/sIFR2.0.2/myriad.swf?txt=<a href="javascript:alert('Xssed by Abdullah')">xss</a>

xss

I injected my name into the code, marking my beginning with bug bounty, a very good start actually. I thought that sIFR2.0.2 might be an Adobe product used on other websites, so I started searching for it elsewhere. I found it being used by major companies and government organizations, including Visa, AMEX, Blackberry, Stanford, Harvard, and more. Here are some examples:

xss

xss

xss

xss

The PoC video:

There are still many other vulnerable websites where this can be found.

Thank you for reading.