During the last weeks several researchers have spent their time hunting and warning people that have not read the Flash documentation carefully and therefore exposed their domains to cross domain Flash access. You will even find statistics about the number of Fortune 500 sites affected by this.

Well, I did not participate in such witchhunts, mainly because I do not consider it security research to use google to find crossdomain.xml files or to draw sweet looking statistics. On the other hand these Flash policies were interesting enough for me to test and exploit.

Therefore I researched a bit and have released a mini article about a new class of holes this obscure Flash feature pokes into web applications.

You are invited to read it here.