Hijacking Flash Content w/ Absolute Embed

[Jim Duber]

Greetings all,


I've got a couple of Flash 4 and 5 apps that I'm serving from an ISP here

in California. All have built in "security" protection--they start by

checking the "_url" property of the movies. If it matches what's expected,

the movies continue. (I also have them checking a variable pulled in from

a relative load variable call.) And, finally, at the end, user data are

sent to a mySQL database via another relative load variable call to a php

file.


All seems to work fine.


Here's the basic idea of the security setup at startup (Flash 4 syntax):


SetVariable "source" = _url

SetVariable "URL" = [put URL to .swf file here]


If((source eq URL) 

      Begin Tell Target ("/startup")

            Go to and Stop ("OK")

      End Tell Target

Else

      Begin Tell Target ("/startup")

            Go to and Stop ("Reject")

      End Tell Target

End If


Then, at the end of the movies, I send user data to the server with a load

variables call to a php on my server, using a relative address. For

example (Flash 5 syntax): 


loadVariables("./processData.php3", "POST" );



But, recently I've been informed by a colleague in Japan that he was able

to "hijack" my files by placing them into his own HTML page on his server

with absolute links to my .swfs in his object and embed code. He wanted to

know if there was a way to prevent this. 


Gee, here I thought the security I'd built in would prevent just that. But

no--the movies play, the variables all load. The data *is* sent (I've

verified this) and the database shows the results. More bizarre is the

fact the HTTP-Referer variable reports back that the data are coming from

his URL.


Is there a better way to prevent such unauthorized use of my flash files

and server resources?


Thanks,


Jim Duber

______________________________________________________

interactive media developer/consultant   duber dot com

http://www.duber.com

______________________________________________________