I believe the newest style of Flash-based advertisements might be a security risk.
Have you ever seen a little Flash animated advertisement dance across some site page your visiting? Usually it's something rather clever and mildly entertaining, a ball bouncing around, a car driving around, or some video of a person doing something to grab your attention. generally covering up the very thing your interested in reading. These are quite clearly advertisements.
However, I just came from a site where the Flash advertisement perfectly overlaid, and masked content on the host site. Now the advertisement itself was of course coming from a 3rd party site, so it was indeed quite clever of the designers to get pixel perfect precision of the current content, overlay images and static content, and then create a fancy breakout animation. What was not pleasant is that I was totally unaware that the animation, advertisement was running.
During that time, I clicked within fields to login to the site and autonomously typed my username and password (while also glancing up and watching television). When I looked back down, no text was visible in the fields. I clicked them again and tried typing. Nothing showed up. Then the advertisement played its animation.
Obviously, the advertisement had overlaid everything on the page, and I'd been clicking focus into the Flash application itself. I know from my own Flash application development that the app was perfectly capable of recording my keypresses while it had focus. So...
Anyone have experience creating these sort of "clever" Flash advertisements? What is protecting people from falling victim to a truly malicious Flash advertisement, specifically designed to overlay real content and fields and capture user entries?
Just so you are aware, flash running in a page can communicate to JavaScript via ExternalInterface
This allows the programmer to run any JavaScript code they would like (especially because flash can call the eval function in JavaScript).
Any flash running on the page has the ability to set a JavaScript event handler on the username/password fields of a form and capture the values entered. The flash program could then do whatever it wanted with the data.
If the site you're logging into has flash advertisements on the login page, it's no longer a secure login. This is also true of any other form/page data. Does your online banking run flash advertisements?
Edit to clarify:
Can an Adobe Flash advertisement capture user account name and password for a site hosting the advertisement?