IBM Rational Application Security Insider: Cross-Site Scripting through Flash in Gmail Based Services(情報元のブックマーク数)
Gmailで使われている、Flashにクロスサイトスクリプティングの脆弱性が存在とのこと。
Technical Details
http://blog.watchfire.com/wfblog/2010/03/cross-site-scripting-through-flash-in-gmail-based-services.html
Gmail uses a Flash movie, named uploaderapi2.swf, for file upload operations. A short investigation revealed that it used two user-input parameters (‘apiInit’ and ‘apiId’) as parameters to ExternalInterface.call(), a class that is used for interaction between Actionscript and the flash player container (a hosting HTML page in the case of browsers).