Re: [flasher] Re: Hijacking Flash Content w/ Absolute Embed

[Gregg Caines]

The SWF is pretty cool in that it's not necessarily helpless against

hi-jacking like GIFs and JPEGs...


One fairly airtight method would be:


Create a server-side script (ASP/JSP/PHP,etc) to put your SWF in.

In addition to displaying your SWF, get the script to also calculate

an integer value based on the date (year + 2 * month + 3 * day) and

using that integer value as a filename, create a text file on the server

with only "play=true" in it.


In your Flash movie, create a function that calculates the same integer

value based on the date, and use loadVariables() to load that text file

from the server, thereby setting the value of play to 'true'.  Make

sure you set play to 'false' just before you load that text file, and

you'll ensure that they don't try sneaking "play=true" in through the

querystring.  So... let your actionscript display the movie if

play == 'true', or give an error message if play != 'true'.


You might need to program in some extra flexibility to allow for the

difference in timezones, etc, but that's not much extra work...

Otherwise this should keep your SWF relatively secure...  I'd have a

pretty hard time subverting that kind of security, without knowing

what the function is.  That would probably require some kind of

reverse engineering of the SWF, which is possible, but it's easy to

stay ahead of the hi-jackers if they have to reverse-engineer your

SWF every time you change the function slightly...  You won't find

many people will have that ability anyway...


If you want control over who frames or links to a specific page in

your site, you can check the HTTP-REFERRER in your script and

programmatically ensure that it comes from your site only...


It's not really much work if you know what you're doing, and would

really stump potential hi-jackers...


---------------------------------------------------

Gregg Caines

n e o m e t r i x  systems inc.

http://www.neometrixsystems.com

gcainesneometrixsystems [dot] com

> At 5:06 PM 2/10/1, Jim Duber wrote:

> >But, recently I've been informed by a colleague in Japan that he was able

> >to "hijack" my files by placing them into his own HTML page on his server

> >with absolute links to my .swfs in his object and embed code. He wanted

to

> >know if there was a way to prevent this.