You are listening to:

A lot of music and videos on Internet is delivered through a flashplayer as myspace, youtube, lastfm, deezer, ampache etc. That is not a coincidence since its a good way to deliver music and video. With as3 a new function SoundMixer.computeSpectrum() was put in the toolbox. Its the only function I can think of that add a functionality that could not be archived with as2 and some serverside tricks.

If you are listen to Internet music and at the same time surf around to watch fancy spectrum visualisations the debug dialog will popup once in a while. The debugger explains that you are violating the sandbox and writes out which files the cross domain violation concerns.

Some posts on Internet explains that you could use try catch to avoid the debug dialog, that’s not working but you could use it to catch the error. I wrote a little code which can be used to track the sound the user is listening to. The code is only useful for the debugger player since it writes a human-readable error message together with the short errorID.


try
{
SoundMixer.computeSpectrum(new ByteArray());
}
catch(e:SecurityError)
{
var message:String = e.message;
var startStr:String = "cannot access ";
var start:int = message.indexOf(startStr)+startStr.length;
var end:int = message.indexOf(". A policy file is");
var sounduri:String = message.substring(start, end);
tf.text = sounduri;
}


The uri can be used to identify the source of the sound if you want to download it, A process possible but boring with http-proxies as fiddler or livehttpheaders. If you have the uri you can get the sound but in most cases its not possible due to other security measurements as cookies, the referheader, and/or one-time only uris. In some more cases its not legal.

The exploit can also be used to track behavior on internet which is big business . There is nothing preventing me from posting what you are listening to or watch at youtube right now to my big brother database.

The exploit is only tested successfully on the debugger player for firefox for winxp (fp 9.0.47) and linux (fp 9.0.48), and its only working sometimes.

You can leave a response, or trackback from your own site.

There are alot of bugs related to wmode= transparancy or opaque for firefox in windows, in linux it doesn’t seems to work at all. This particular bug is that you can’t write @ on a swedish keyboard in input textfields. Normaly you write @ with Alt Gr+2, but if you try a normal 2 is written. Faults happends for most Alt Gr codes as £${[]}. A quick workaround is to use the english Shift+2 but most people don’t know that. Or you can paste it in from elsewhere. Another workaround a friend of mine gave me is to pretype the @ in the textfield and let the user write his email around it. There are some other workarounds, but none of them was nice enough.

without the fix

with the fix

My solution registers a keyListener if a textfield is Selected and stores the key-code sequences in a keybuffer. If 17, 18, 50 is pressed an @ is written instead of the 2. 17, 18 is for Alt Gr and 50 is for the 2 key. Other key-code sequences are mapped to other signs. If another textfield or something else is in focus the listeners are removed. The class might need some localisation changes to work on different keyboard layouts.

The class has a very simple setup.

InputFix.initialize();

Once initialized it works on all textfields in the application. One important thing is that you have to import the font for the numbers even if you not is going to use them. It the chars are missing the onChanged event on the textfield are not executed.

A preferred solution is to send the browser as a flashvars and only initialize it for firefox for windows.

source: text, package

You can leave a response, or trackback from your own site.