Imgur: risk of having secure=false in a crossdomain.xml

ID H1:105463
Type hackerone
Reporter hacker00000000
Modified 2016-03-03T17:26:21

Description permits SWF files on a non-HTTPS server to load data from this HTTPS server. Setting the secure attribute to false could compromise the security offered by HTTPS. In particular, setting this attribute to false opens secure content to snooping and spoofing attacks.

The allow-access-from node has an optional attribute 'secure'. So say the crossdomain.xml on has :

<allow-access-from domain="" secure="false"/> <allow-access-from domain="" secure="false"/> <allow-access-from domain="" secure="false"/>

If this is set to true (default), a flash client retrieved over HTTP cannot access data on the over HTTPS.

I can only think of one risk in setting secure to false: A user with a poisoned host file or DNS server might be diverted to a flash client on a fake This flash client can now access sensitive data on

Good Fix ,