[Owasp-kansascity] Flash shared objects

Ferguson, David (Kansas City) Dave.Ferguson at fishnetsecurity.com
Fri Jan 12 12:08:37 EST 2007

Well I downloaded the SolVE tool and used it to browse some shared objects (.sol files) on my
computer.  Unfortunately, it errored out on some of them, including my Bank of America file (the tool
probably needs to be updated since it is from 2004).  The BoA file is called PassMark.sol.  From Ed's
email, I believe that is where BoA stores info to know whether or not you've accessed their site from
a particular computer.  Interestingly, Vanguard recently adopted the same SiteKey functionality and I
see a file called PassMark.sol for them too.  
(Hmm, I guess I just admitted I have BoA and Vanguard accounts.  That's okay - I'm protected by

> -----Original Message-----
> From: owasp-kansascity-bounces at lists.owasp.org [mailto:owasp-kansascity-
> bounces at lists.owasp.org] On Behalf Of Ferguson, David (Kansas City)
> Sent: Thursday, January 11, 2007 2:57 PM
> To: owasp-kansascity at lists.owasp.org
> Subject: [Owasp-kansascity] Flash shared objects
> Ed Welsh recently sent this my way, so I'm forwarding it along.  Is anyone using these
> shared objects
> in their development?  Personally I did not even know these files existed, let alone they
> could be
> used to store interesting or potentially sensitive information.
> Dave
> ________________________________________
> From: Welsh, Ed
> Sent: Wednesday, January 10, 2007 10:30 AM
> Subject: Flash Shared Objects
> Here is a new spot to check when information gathering a web application:
> C:\Documents and Settings\<username>\Application Data\Macromedia\Flash
> Player\#SharedObjects
> There is an object browser called "SolVe" on SourceForge.  Many applications are
> using the Flash
> shared object model to store Flash "cookies" (up to 100K).  Bank of America is putting
> the SiteKey
> info there when you authorize a PC for their site.
> Key points:
> - Clearing browser history, cookies, and cache does not clear Flash objects.
> - Many sites are not encrypting the contents.
> - At least one framework (dojo) is making this storage automatic for developers via
> object models.
> _______________________________________________
> Owasp-kansascity mailing list
> Owasp-kansascity at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-kansascity

More information about the Owasp-kansascity mailing list