macromedia Your Account International Help
Products Support & Training DevNet Solutions Partners Downloads Store
Products Support & Training DevNet Solutions Partners Downloads Store
Home > Products > Flash > Support > TechNote Index
Macromedia Flash Support Center - TechNote

Privacy and Macromedia Flash Ad Tracking

Summary
Macromedia invests considerable ongoing effort to ensure that the security and privacy of all Macromedia Flash Player users and all web sites serving Macromedia Flash content are protected.

Macromedia is committed to protecting its customers in relation to security and privacy. This is a long-term effort for Macromedia across all products. As part of this effort we encourage best practices for developing secure applications.

Recently, Macromedia became aware of an issue with respect to how certain Macromedia Flash advertisements have been implemented.

In general, input into applications should be verified, and not assumed to be safe. Flash applications are no exception to this rule. In this specific case, a URL parameter was assumed to not contain malicious scripting code. By verifying the input prior to processing, you can ensure the security of your application.

This practice should be followed by all Flash Developers.

Specific Case
Macromedia Flash advertisements frequently make use of a clickTAG parameter to allow the HTML pages that contain them to specify the click-through destination URL for the advertisement. A maliciously constructed HTML page could source such an advertisement and provide a specially constructed clickTAG URL containing JavaScript or other browser scripting code. If the Macromedia Flash advertisement is not validating clickTAG URLs before passing them to the ActionScript getURL function, these JavaScript URLs would cause the advertisement to execute scripting code.

The only exposure known to be caused by this issue is the possibility of unauthorized Web sites gaining access to HTTP cookies used by ad serving providers, in conjunction with Macromedia Flash advertisements, that do not perform clickTAG validation. Cookies from other Web sites cannot be compromised by this issue.

By convention the HTTP cookies used in conjunction with advertisements do not contain personal data. These cookies are generally used only for ad tracking and anonymous identification, therefore, Macromedia does not anticipate that consumers’ privacy could be violated by this issue.

Solution
A new player version is NOT required. Macromedia Flash advertisements that accept clickTAGs need to validate that the clickTAG URL begins with “http:”. This helps ensure the clickTAG does not contain malicious code.

To date the majority of ad serving providers are doing this. Macromedia is working directly with ad serving providers to ensure they are following this practice in their Macromedia Flash advertisements. In addition, Macromedia has updated the Rich Media Advertising best practices document at http://www.macromedia.com/resources/richmedia/tracking/designers_guide/ to reflect this requirement.
ID: 18614
Product: Flash
Versions: All
OS: All
Browser: All
Server: All
Database: All
Former ID:  
How useful was this document?
less more

1
2
3
4
5

How can the document be improved? (300 characters or less - you will not receive a reply.)

Last updated: April 11, 2003
Created: April 11, 2003
  
 
 
  Company | Site Map | Privacy | Contact Us | Accessibility | Report Piracy
    ©1995-2003 Macromedia, Inc. All rights reserved.
Use of this website signifies your agreement to the Terms of Use.