We have been made aware of a potential security risk with open source software Wikileaks is utilizing which uses a flash library to display PDF files in .swf format
The sofware being used is Flexpapervwhich uses non static flashvars which could result in cross site scripting attacks
Flexpaper a opensource flash library to load PDF files https://code.google.com/p/flexpaper
/ (The developers are aware of the vulnerability and will be resolved in future versions).
Two vulnerabilities XSS and content spoofing can be used by malicious users. Whether to affect the privacy of users of wikileaks. eg: Using Flash components specifically
to decloack behind Tor network users OR link to external content to discredit Wikileaks, something Wikileaks should avoid given the nature of the content published on Wikileaks servers.
An example of the last FBI example for decloack users http://hackread.com/fbi-used-metasploit-decloak-expose-tor-users
Given the fact that most browsers use plugins to enable the reading of PDF's, we strongly urge Wikileaks to link directly to PDF files instead of using third party software that could put users at risk
We would like to thank Francisco Alonso @revskills http://twitter.com/revskills
for providing us with this information.Linkback: http://www.wikileaks-forum.com/security-support/608/-flexpaper-pdf-viewer-used-on-wikileaks-org-presents-security-risk-for-users/32700/