158 computeSpectrum exploit

You are listening to:

A lot of music and videos on Internet is delivered through a flashplayer as myspace, youtube, lastfm, deezer, ampache etc. That is not a coincidence since its a good way to deliver music and video. With as3 a new function SoundMixer.computeSpectrum() was put in the toolbox. Its the only function I can think of that add a functionality that could not be archived with as2 and some serverside tricks.

If you are listen to Internet music and at the same time surf around to watch fancy spectrum visualisations the debug dialog will popup once in a while. The debugger explains that you are violating the sandbox and writes out which files the cross domain violation concerns.

Some posts on Internet explains that you could use try catch to avoid the debug dialog, that’s not working but you could use it to catch the error. I wrote a little code which can be used to track the sound the user is listening to. The code is only useful for the debugger player since it writes a human-readable error message together with the short errorID.

SoundMixer.computeSpectrum(new ByteArray());
var message:String = e.message;
var startStr:String = "cannot access ";
var start:int = message.indexOf(startStr)+startStr.length;
var end:int = message.indexOf(". A policy file is");
var sounduri:String = message.substring(start, end);
tf.text = sounduri;

The uri can be used to identify the source of the sound if you want to download it, A process possible but boring with http-proxies as fiddler or livehttpheaders. If you have the uri you can get the sound but in most cases its not possible due to other security measurements as cookies, the referheader, and/or one-time only uris. In some more cases its not legal.

The exploit can also be used to track behavior on internet which is big business . There is nothing preventing me from posting what you are listening to or watch at youtube right now to my big brother database.

The exploit is only tested successfully on the debugger player for firefox for winxp (fp 9.0.47) and linux (fp 9.0.48), and its only working sometimes.

158 Comments to “computeSpectrum exploit”

4 displacement window

This is a demo of a way to use the displacementmap-filter to distort a movieclip in a controlled way. In most cases the displacementmap-filter is used together with some kind of random functions to create flag or liquid wave distortions. It also a experiment on how to use a physics engine as a tween engine.

You can drag the physics point but if you do to fast motions the physics grid can be messed up.
press “p” to show the physics points. Wait until new random points are set.
press “d” to show a preview of the displacementbitmap

Every 150th frame new destination points are calculated. The physics points are then moved to the new location and anchors are attached in the corners. Then the physics points are dragged to the old location and released. The result is a motion tween made of physics springs.

The circles are controlled by the physics engine and the distance to the original positions are calculated. The points are then the input for creation of a two quadratic bezier-surfaces, one for x-axis and on for the y-axis. I found the surface page on wikipedia after I made the application, which was good since its a little bit over my head, but the curvepage is good and have nice ani-gifs. A bitmapdata is created from the surfaces and used as the displacement filter. If simpler linear instead of quadratic bezier curves are used a perspective effect can be archived in a simple way.

The original clip is masked away, otherwise it shows up behind the filter during heavy displacement.

The performance is not that great. Its not that strange since its a lot of calculations. The displacement bitmapdata has the dimensions of the bounding box of the physics points. If the box is 200×200 px the displacement calculations and setpixel() in every frame is made 2×200x200 = 80000 times.

I made some small attempts to rescale the window before the calculation to be able to make a smaller displacement filter but I didnt succed.

An alternative way to archive the same effect could be to use the same triangle distortion trick as 3d engines uses. But if you want the same degree of smothness you will need a lot of triangles. Another advantage over the triangletrick is that the mouseevents on the clip still works like clicks and rollovers. That can be archived with the MovieClipMaterial in papervision3D but that’s a little bit trickier.

I’m a little bit confused why transparency and dropshadow filter on a filter works. Its a good thing here but a little bit unexpected.

The source needs some refactoring and documentation maybe. The drawings and calculations have to be separated from the physics part to make it useful. If you can use it and make something cool let me know.

4 Comments to “displacement window”

1 Image Obfuscator

Soon the face recognition tools will expand into the search market. And since everyone putting everything on the Internet and nothing disappears, integrity problems will increase.

A solution to that could be something like this application. It transforms a image to something that is harder to read. and then when you want to look at it it transforms back to the original. Of course you can make a printscreen and crop out the image but that is quite boring.

There are a lot of other uses of a application like this. Photgraphers afraid of people stealing there photos and so on, you don’t need the waterstamp.

This is not a usable product right now but more like a proof of concept.




There are some problems to fix before the application can be used more serious:
1. use of jpeg. An obfuscated image can not be compressed destructive, as jpeg, and still work,
2. keep the compression rate. The example changes every pixel depending on there value and the distorted image cant be compresses since there are no large areas of the same color.
3. add a real encryption algorithm. for example TEA. That would make it almost impossible for an computer do transform back with brutal-force since the result is not plaintext.

Most of them are easy to archive if you instead of images use swf. But one of the main purpose of the application is to be able to continue to use the same channels for images that exist today. People don’t understand the swf format. The example above can be cropped and in some cases rescaled and still be able to be decrypted.


One Comment to “Image Obfuscator”

2 Morph car

All large car company pages has a rotating car on there site. They are either made of images put together in a rotation, a flv playing a rotation or in some rare cases papervision. Here is an idea about morphing between images. Its too CPU heavy to use in a real application unless some angles are pre-rendered and used instead of calculate in each frame.

The two images are faded and morphed together. If you move the mouse to the top of the application you will see the morphing grid.


2 Comments to “Morph car”