If you're a FlashBlock user, you may feel outraged by being brutally rickrolled this way, but you need to know that it could happen at any moment.

No special trick, just a Youtube movie embedding through a plain

<object>

HTML element. Examine the source code if you don't believe it:

<object width="300" height="242" data="http://youtube.com/v/A3_n0B1EaOY"> </object>

Not a big deal, really, if you consider FlashBlock a "noise reducer": it does a great job, in facts, working almost always.

A bit more worrisome, though, if you used to believe FlashBlock could improve your security against Flash vulnerabilities. Your next surprise video star may be way more malicious than Trojan.SWF.Astley...

To be fair, you would be in good company:

If they just looked at FlashBlock's FAQ, they would have found that the word "security" is never mentioned: a testament both to the good faith of the developers, who honestly advertise FlashBlock as an excellent annoyance blocker rather than a security enhancement, and to the superficiality of some advices.

Dancho is especially inexcusable, since he's the only one forgetting to mention NoScript, which features similar flash-blocking capabilities but, being developed with security as its main focus, is immune from this and other possible circumventions and, more important, would regard even the most exotic unblockable edge case as a serious bug to be fixed as soon as possible.

Oops, I couldn't block my own rant :)

15 Responses to “Block Rick!”

  1. #1 ehmo says:

    Hey man, do you know any nice way how to block flash in ff, like referer with developer plugin?

  2. #2 Giorgio says:

    @ehmo:

    • In Firefox 3, Tools|Add-Ons|Plugins|ShockWave Flash (global setting)
    • Flash Killer (per-page blacklist, I guess you're after this)
    • FlashBlock (per-object or per-site whitelist)
    • NoScript (per-object or per-site whitelist, works also on JavaScript, Java, Silverlight, QuickTime and other plugins)
  3. #3 Andre Gironda says:

    FlashBlock shows things run for a second, so I'm even more surprised that no one else has called them on that B.S.

    I noticed that the Flash is run with FlashBlock a long time ago. Then I read about it on sla.ckers and decided NoScript was the only way to go. However, when/if I have to use IE, I use the TurnFlash Off script from NirSoft.Net

  4. #4 .mario says:

    Nice article. Yes - it's pretty frightening how versatile the OBJECT Tag is - even and especially in FF3.

    <object data=//h4k.in>
    <object data=javascript:alert(1)>
    <object data=jav&#x61script:\u0061lert(2)>
    <object data=data:text/html;charset=utf-8,%3cscript%3ealert(3);%3c/script%3e>
    <object data=data:text/html;,%3cscript%3ealert(4);%3c/script%3e>

  5. #5 Giorgio says:

    @.mario:
    The standard behavior is called generic inclusion for a reason...

  6. #6 Marcin says:

    Girorgio, I'm with you and Andre on this. I don't use Flashblock because essentially, it's implemented the same way a Greasemonkey script is. I use NoScript for its Flash blocking capability in addition to script whitelisting.

  7. #7 Giorgio says:

    @Marcin:
    FlashBlock is actually much more accurate and sophisticated than a GreaseMonkey script, and its latest versions deploy techniques very similar to those implemented by NoScript: while I do know a couple tricks to execute frame 0 ActionScript despite FlashBlock, the 1 second delay you observed doesn't exist anymore.
    The point is that FlashBlock, as an annoyance blocker, can afford a known failure margin, provided that it still works in the most common and intrusive cases, for instance ads.
    The problem is when people start thinking at FlashBlock, and adblocking in general, as a security feature: every easily reproducible work-around like this becomes a vulnerability, in a security context.

  8. #8 Gijs says:

    I'm not a security buff by any means, but to reply to .mario's point, doesn't the IMG tag allow pretty much the same thing? I'm not sure why you're ascribing special powers to OBJECT when all you do is tweaking your way into parsing fixes, which I would guess apply to pretty much any element.

  9. #9 William Vambenepe’s blog » Blog Archive » Taking control of the Flash player says:

    [...] 2008/6/9: Looks like Flashblock can be circumvented (in a way that my more basic FF vs IE setup cannot). BTW, I closed comments on this entry because [...]

  10. #10 Aerik says:

    Huh. I had just updated my flash and shockwave, too.

    Anyways, I just learned something pretty damned interesting. Apparently the Konami Code Works on Google Reader. Read here: http://blogoscoped.com/archive/2008-06-09-n29.html

    Disturbing that it technically has to log your keystrokes for this to work? I tried it, it's all true. Go to google reader, do up up down down left right left right b a [enter], and it hapens.

  11. #11 Giorgio says:

    @Aerik:
    Every single web page can log your keystrokes, as long as it can run JavaScript to attach a document-level keyboard event listener.

  12. #12 dolphinling says:

    Gnash has a similar click to play feature by default, without needing an extension to add it. I wonder whether it adds any security benefit, or if it's also "just for annoyances".

  13. #13 Fernando says:

    Am I the only one that clicked play? :)

    Thanks for the hard work you put to make Firefox a more secure browser.

  14. #14 hackademix.net » Twitter JSON Hijacking Updates says:

    [...] upon for security: there are too many easy ways to circumvent it. More in general, Adblock Plus and FlashBlock, despite a popular superstition, can’t be considered security tools because they’re not [...]

  15. #15 hackademix.net » Upgrade Flash and Turn Off Acrobat, NOW! says:

    [...] work-around suggested by the iDefense bulletin is bogus: as we already clarified a few times, FlashBlock can’t be relied upon as a security defense. The only reliable means to protect yourself against Flash-based 0 day attacks like these are [...]

Bad Behavior has blocked 2322 access attempts in the last 7 days.