Doh! WikiLeaks' PDF viewer springs XSS vuln

Wikileaks' Flash-powered PDF reader has sprung a vulnerability or two.

The whistle-blowing website uses an open source Flash library called FlexPaper to display PDF files. Unfortunately various coding errors left FlexPaper open to cross site scripting and content spoofing.

Developers behind the open source web based document viewer software have developed a patch to resolve the bugs.

“We have confirmed this XSS security vuln in our GPL flash viewer and patched it. New version: http://static.devaldi.com/GPL/FlexPaper_2.3.0.zip,” FlexPaper told El Reg. “Most Flash security holes were patched in flash version 9 and FlexPaper requires Flash 11 but we have confirmed this XSS.”

The discovery of the bugs by security researcher Francisco Alonso has provoked http://www.wikileaks-forum.com/security-support/608/-flexpaper-pdf-viewer-used-on-wikileaks-org-presents-security-risk-for-users/32700/msg66862#msg668621:3 on WikiLeaks' forums that the vulnerabilities might be abused to de-cloak users, threatening the privacy of WikiLeaks users in the process.

Hackers (state sponsored or otherwise) might use Flash components specifically to de-cloak users. It might also be possible to post links to external content as part of attempts to (further) discredit WikiLeaks. Issues similar to the use by the Feds of Metasploit modules to uncover the identities of Tor users are feared.

“Given the fact that most browsers use plugins to enable the reading of PDFs, we strongly urge Wikileaks to link directly to PDF files instead of using third party software that could put users at risk,” a WikiLeaks forum member advised.

WikiLeaks did not respond to our requests for comment. ®