An open-source component used to display PDF files on WikiLeaks and other websites contains vulnerabilities that could be exploited to launch cross-site scripting (XSS) and content spoofing attacks against visitors, according to an article just published in PCWorld.
Named FlexPaper, the problematic component was developed by a company called Devaldi, out of New Zealand. The company confirmed the problems, which were first reported Thursday on the WikiLeaks supporters forum, and released FlexPaper 2.3.0 to address them. But as of Tuesday, the component remains on WikiLeaks.org, which was still using FlexPaper 2.1.2 on some pages.
The incident comes after Wired reported last week that in 2012 the FBI used a Flash-based component to decloak Tor users and find their real IP (Internet Protocol) addresses in an operation that targeted users of child pornography websites hosted on the Tor network.
Since WikiLeaks’ audience includes a lot of users that prefer anonymity, any vulnerability in the site that could potentially be used to expose their real location is of concern.
Users have called for WikiLeaks to instead link directly tofiles, which has precedent, as they did so with two secret documents allegedly leaked from the U.S. Central Intelligence Agency. The site published the documents Sunday and directly linked to the PDF files instead of displaying them in an embedded viewer.