Flash is dead. But did you know that ..

So the Flash (from Adobe, not this one from DC) is finally and oficially dead (for a while now). This is good news for cybersecurity as there was always plenty of exploits and/or flaws in Flash.

But ...

One of most common attacks on users using internet banking was (and in some areas still is) "Man-In-The-Browser" attack, where malware injects malicious content (i.e scripts) directly into DOM rendered in user browser, changing it's content and running malicious scenario that ends with fraudlent money transfer (mostly).

The way to detect this type of attack is to place your own code that will run on "user side" (in browser) to detect anomalies (keywords. modifications, etc), and common way to do it is to use JavaScript that does the checks when user launches website (i.e internet banking).

Of course that is something that attacker that prepares it's own inject(s) may easily spot and disable in it's own code (either injected in browser or by using malware function that breaks it).

And here's where Flash may (and was) used to hide detection code and make it harder to spot and disable by attacker.

Using Flash built in code engine called Action Script, you could use function called

ExternalInterface.call(); 

to run JavaScipt code directly from flash, and not from html code that is rendered in browser. This simple but powerfull function allowed to run detection code that may be invisible for attacker, or required a lot of effort like flash (banner?) decompilation to spot it.

I was talking about this trick/technique during Confidence 2017 conference in my talk called "Using web technologies to detect malware".

And guess what ? Using this little trick/function in Flash we managed to save a lot of people money from being stolen.

At the end, Flash technology was not only a bag of vulnerabilities, it was also a "hero" that saved people money and data.

Thank you Flash, it's been a pleasure working with you!