Today I want to share with you one of my findings in 2013, which is an XSS in a flash file that was used by many famous websites, the flash file was called sIFR (Scalable_Inman_Flash_Replacement).

Q: How I found it ?

T But, how did I find it? Till today I thought that I was the first one to report this issue, in fact it is an old bug That have CVE (read more). So let’s talk about what I found, as I was looking for a bug in Adobe, my browser got me to: PHOTOSHOP CS3&textcolor=

 The (txt) was a simple text.
The (textcolor) was get a HTML color code.

The page showed XSS  when I made the payload, I got the txt parameter to show our text, so let me explain what I did regarding the HTML.<a href="javascript:alert('Xssed by Abdullah Hussam')">xss</a>

It worked! and I found XSS on Adobe. But I noticed something in the URL: PHOTOSHOP CS3&textcolor=

It looks like a path of a file in “”, so I deleted the “” from the URL. and went to:<a href="javascript:alert('Xssed by Abdullah Hussam')">xss</a>   <br>


I injected my name in the code, and it was my beginning with bug bounty, a very good one actually.
I thought that (sIFR2.0.2) is an Adobe product that can be found in other website, and I started looking everywhere for it in other websites, and I found it to be used by major and governmental companies, including Visa ,AMEX, Blackberry, Stanford, Harvard, …etc.

Here is a samples :





The PoC video :

There are still many others vulnerable websites to find this in. 

Thank you for reading.