On Oct 14, 2012, at 3:52 PM, Chris Pearce <[email protected]> wrote:
> On 13/10/12 07:20, Carr, Wayne wrote: >> There’s a recent post on a phishing attack using the full screen api >> [1][2}[3]. > > It's worth noting that this attack has been possible in Flash for years, and > the sky hasn't fallen. For most of that time, Flash has either not allowed any keyboard input, or allowed only non-alphanumeric keys. That has significantly different security characteristics against a phishing threat model than full-keyboard-enabled fullscreen. Just recently (in Flash 11.3) they added optional full keyboard input, but that puts up a separate permission prompt and doesn't pass through keys until the user approves. Regards, Maciej
