The mitigation strategy falls short of current best practices.<p>> if possible use a dedicated sandbox domain.<p>It's 2014. You don't have to use JSONP and open up your domain to XSS; just use standard and safe XHR with CORS[1]. Every major browser has supported it for years, and for very old browsers that don't support CORS (IE 8), I wrote pmxdr[2] five years ago.<p>[1]: <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS" rel="nofollow">https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_con...</a><p>[2]: <a href="https://github.com/eligrey/pmxdr" rel="nofollow">https://github.com/eligrey/pmxdr</a>
Given the nastiness of this attack (a fully interactive client-side backdoor!), the non-trivial nature of the algorithms and coding theory required, and the slow uptake of Flash patches especially in enterprise [1], this seems like downright irresponsible disclosure to share such a detailed post (with a repository and detailed instructions for script kiddies!) so quickly after notifying companies. I can understand all too well how excited the researcher must have been to discover this and share it with the world, but jeez: wait until the Flash patch hits an inflection point on the adoption curve at least!<p>[1](<a href="http://krebsonsecurity.com/2014/05/the-mad-mad-dash-to-update-flash/#more-25957" rel="nofollow">http://krebsonsecurity.com/2014/05/the-mad-mad-dash-to-updat...</a>)
Nice to see the exploit finally out.<p>I gave a talk about the potential for this to happen about a year ago: <a href="http://quaxio.com/jsonp_handcrafted_flash_files/" rel="nofollow">http://quaxio.com/jsonp_handcrafted_flash_files/</a>
The article suggests a 32 character length limit on callback parameters. Unfortunately this looks to be too short - from examining log files it appears jQuery often uses callbacks of 40 or even 44 characters.