Thursday, September 27, 2007

loadVariables security by built-in obscurity

Ever wondered what's the real under-the-hood difference between the old loadVariables and the LoadVars class introduced in Flash Player 6?!
Me neither!
Today I was casually chatting with my dear old flash buddy over in Bucharest. When we don't talk cycling we talk flash stuff and if there's nothing really interesting we go back to cycling :)
But this one was a truly shiny gem.
He was claiming that flash has this built in security-by-obscurity mechanism that helps actually securing the requests to his php scripts in a away that it's impossible to crack. I naturally started to express my doubts regarding the feature because we all know that real security is hard to achieve. Even more so when it comes to flash. But as he is more of an old style AS coder I decided to see what he's got because he usually carries lots of these gems in his flash wizard bag.
His take was that when using loadVariables he is able to send to php an obscure argument that is not immediately obvious in the flash source. Thus he makes sure that php calls are made only from his swf. So I fired up my Ethereal to see what gets sent from flash to php. The answer was a lot. Turns out that using loadVariables you actually send all the hand coded properties of _root to the server. I have no idea why but I can imagine some good overhead when you're using it and you also keep a lot of properties in _root.
Now maybe someone else found this and wrote about it. If so kudos to him. LoadVariables is so old that even Google mistakes it for it's LoadVars offspring.
Here's the hands on test.
Better you LoadVars your data from now!


Blogger Unknown said...

That's an interesting research...

Another reason to proceed in every project that requires AS2 to LoadVars and never ever use "loadVariables" old routine in a modern world.

2:12 PM, September 28, 2007  

Post a Comment

<< Home