confusing aspects of Flash (AS2) security

[ajoo]

Hi all, 

 

I would like to clarify 2 aspects of flash security and confirm if they can be intermixed to make an attack.

 

SO the aspects areis :- 

1. The flash application on the original domian is embedded by a hacker/cracker in another page served from another (hacker) domain.

2. The flash is decompiled and served from the hacker domain.

 

The one that actually worries me and i would like to ask about is the intermixing of the two. 

 

Let's assume that the flash application (swf file) has been downloaded and de-compiled by a hacker and he removes whatever little protection there is in there to check if the swf is running in it's original domain . Now he can upload that into another domain (hacker domain) and serve it from there. The question is

 

a) What about the data that the movie requires to be run. This data is placed on the original server. Can hacker domain somehow get the data from original server in real time and server it to users from hacker domain to whomsoever? if so how and how difficult it would be.

 

b) if the original server uses secured sessions and user verification (via a login panel of-course) before serving the files , would the above (a) still be possible if at all ?

 

c) What if the hacker is also a legitimate user and is able to log in into the original server as a user? Or is that not a big deal ?

 

if the data can be hijacked and used in real time by the hacker domain, what measures can effective block it and prevent it?

 

Thanks all !

Edited February 27, 2018 by ajoo