We have been made aware of a potential security risk with open source software Wikileaks is utilizing which uses a flash library to display PDF files in .swf format
The sofware being used is Flexpapervwhich uses non static flashvars which could result in
cross site scripting attacks.
Flexpaper a opensource flash library to load PDF files
https://code.google.com/p/flexpaper/ (The developers are aware of the vulnerability and will be resolved in future versions).
Two vulnerabilities XSS and content spoofing can be used by malicious users. Whether to affect the privacy of users of wikileaks. eg: Using Flash components
specifically to decloack behind Tor network users OR link to external content to discredit Wikileaks, something Wikileaks should avoid given the nature of the content published on Wikileaks servers.
An example of the last FBI example for decloack users
http://hackread.com/fbi-used-metasploit-decloak-expose-tor-users/
Given the fact that most browsers use plugins to enable the reading of PDF's, we strongly urge Wikileaks to link directly to PDF files instead of using third party software that could put users at risk
We would like to thank Francisco Alonso @revskills
http://twitter.com/revskills for providing us with this information.
