IBM Rational Application Security Insider: Cross-Site Scripting through Flash in Gmail Based Services(情報元のブックマーク数)

Gmailで使われている、Flashクロスサイトスクリプティング脆弱性が存在とのこと。

Technical Details

Gmail uses a Flash movie, named uploaderapi2.swf, for file upload operations. A short investigation revealed that it used two user-input parameters (‘apiInit’ and ‘apiId’) as parameters to ExternalInterface.call(), a class that is used for interaction between Actionscript and the flash player container (a hosting HTML page in the case of browsers).

http://blog.watchfire.com/wfblog/2010/03/cross-site-scripting-through-flash-in-gmail-based-services.html

screenshot