FlashPlus - Version 1.0.2 Released

FlashPlus 1.0.2 released yesterday with a couple of bug fixes and some new features. The features in this release first.
  1. Many people had requested for the ability to block flash. Extensions like FlashBlock prevent extensions from loading. However, you may want to see if the flash is really an advertisement that you want to block, or a genuine component in the page. The new action lets you block flash after you see it. We are also working on implementation of FlashBlock inside FlashPlus. This way, you can use just one extension. This is the fix.
  2. A lot of cosmetic changes. The icon of FlashPlus has changed; so have the icons for  "black out the page". The black out is now translucent, this lets the user still know that they are on the page.
Some of the bugs that were fixed include
  • Flash is sometimes loaded using Javascript. Previously, the  extension used to look only for Flash embedded in the HTML file. A new check has been added to check for Flash components that are added by Javascript later. Some more work is required to check if some flash components are loaded right away, and others are loaded using Javascript.
  • Size of the pop up on clicking the button on the URL bar now changes according to the number of Flash movies on the page. It used to be small earlier, making it look ugly. Cosmetic change, fixed now.
  • Flash movies sometimes have incorrect dimensions. Hence, clicking on the pop up did not activate FlashPlus. This has now been fixed.
 I have forked a new branch for Release 1.3 and would be working on the following.
  • Issue 14 : Adding an Options page where user can configure the following parameters for Flash Plus
  • Issue 7 : Correct the problems in iFrame. Make FlashPlus work on IFrames.
There are a lot of interesting features lined up for the next release. Watch out this space for updates.

Phishing with Google Wave

Phishing is usually be categorized under social engineering rather than a technical hack. It is inherently about tricking the user to click a link, or visit a web page. However, if the victim is tricked into visiting the phished page, even while they are on a genuine site should be a cause of concern. Since the victim did not initiate to move to the phished page, they are caught off guard.

This post is about a possible attack on Google Wave which could at the least disrupt the wave experience, if not steal the credentials. This attack is similar to the one on Orkut Opensocial that I had published earlier. I am sure someone somewhere would have already figured this out, but I chose to post this anyway since I got some time off FlashPlus, my Google Chrome extension.
The hack can be done by anyone anonymously and on public waves.
  1. Create a phished Google Login page. You could check out tackle.
  2. Search for public waves
  3. Reply to one of the messages, insert a gadget in your reply
  4. The gadget sets the top.location to the phished page.
  5. The victim now visits the wave and opens this unread wave
  6. The gadget kicks in, redirects the user to a phished page
  7. Since the victim was still inside and browsing wave, they may not suspect a phished page. They may think that they were simply logged out.
The following video shows these steps.

A couple of ways to anonymize the attacker could be
  • Make the gadget to set top.location after a window.setTimeout, instead of doing it immediately.
  • Do not redirect all users. Redirect them if a certain cookie is not set. If a cookie is set, they were already phished.
  • Create anonymous accounts on Gmail, host gadget and phished page using Google Gadget Editor on iGoogle. This shows the wave URL on a gmodules.com domain, something that's more believable.
  • Submit credentials from the phished page to a form created using Google spreadsheets.
I am not sure how harmful this hack can get. I have pinged a friend a Google about this.

FlashPlus - Now for Chromium on MAC

I am currently working on FlashPlus, a Google Chrome Extension. I had written about the first release here that included a demo video.
This initial release seemed to work fine with the Windows version of Chrome, but were failing for Chromium on Mac, as Aadith reported. The error was in the manifest file where absolute URLs were used to identify resources. This bug is now fixed and the extension works on Mac also. I also managed to sneak in a couple of more features over the weekend with the latest version.
If there are more than one flash movies on the page, the popup was not always showing exact flash movie. A visual indication is now in place to "find" which flash is shown in the popup.
The JQuery version was also upgraded to 1.4, with some changes.
The extension file is also smaller as I realized that the initial version was packing unnecessary demo and .svn folders. Those removed, the extension is a lot smaller now.
The final change in this release was to move from Subversion to Mercurial, specially because there would be a lot of branching and I would also be doing a lot of offline development.

About the next release, I am looking at four major features, in order or priority.
  1. Add options to  download a Flash. This is a tricky feature as streaming videos are different from simple .swf files. However, most people have asked for downloading Videos and it may make sense to show the download link from flash video download sites selectively. I have created a branch and am working on it.
  2. Block or hide Flash Movies to save CPU/Memory usage. I am not really sure how much memory can hiding a flash save, but from the looks of this feature, it sound like it could help. This is easy to do.
  3. Configuring the flash parameters.  This is not a big ask as it is an advanced feature that lets you change the way SWF files behave.
  4. Blocking Flash as soon as it loads. This feature aims to bring FlashBlock under its hood, and should not be very hard to do. The question however is, do I need to replicate the FlashBlock functionality?
If you think that you need a feature more than the other, or have other exiting ideas, please do drop in your comments. If you interested in helping with the code, it would be awesome :)
Watch out this space for updates.