WTF?
I thought we were supposed to be getting away from these bloody things and going to HTML5, not introducing even more of them.
Plugins, I mean.
A vulnerability has been found in the Unity Web Player plugin, which could allow an attacker to access any website with the credentials of the plug-in's user. The vulnerability could pass on private messages sent over Facebook and Gmail, or, if exploited on the Internet Explorer browser, it could even read local files from the …
There's a perfectly good "video"-tag. It just works, and even if it doesn't work you can always use an external player. It may not be perfect, but it's _much_ better than any of those special proprietary players will ever get.
The 1990s are over, get over it. Today you can just have an URL to a video file/stream inside a link and if people click it it'll just work.
So they reckon http://x:y@target.site/ is the same site as http://x:y@attacker.site/ ?
That means they aren't just naively comparing the two strings for equality. If they'd been *that* simple-minded, they'd have been safe. Tragically, however, someone knew that they had to parse the URL into components and compare only the domain. They just didn't know the syntax for a domain.
It reminds me of all those people who "knew" the extra rule about leap years and centuries, and consequently wrote extra code to get 2000 wrong.
Tough call...
A) Spend time/effort fixing issue with plugin that will be obsolete in a few months.
B) Try to rush replacement, hoping issue won't cause too much damage in the meantime.
I'd likely be using door number 2. I'd probably be trying to keep quiet about it as well! But ignoring a bug hunter results in bad publicity so they should have opened a dialogue with the guy at the very least imho.