Adobe confirms Flash Player bug nicked Google log-ins

Adobe has confirmed that the reason that it patched a Flash Player bug over the weekend was because it was nicking login credentials of Google’s Gmail users.

It is a sign of how dangerous the hole was. The “important” vulnerability was patched in an emergency update and was the second patch in less than a month for Flash. It is also the fifth this year and was carried out over the weekend.

Hackers were tricking the user into clicking on a link delivered in an email message, targeting Gmail.

An Adobe spokesperson said that other web mail providers may be targeted, but it had not heard about it.

According to Adobe’s bog, the Flash vulnerability is a cross-site scripting bug which are often used by identity thieves to hijack usernames and passwords from vulnerable browsers, or in this case, the Flash Player browser plug-in.

The plug-in is often targeted because it is installed on most people’s machines.

The flaw was noticed by Google which reported it to Adobe. They are not believed to be the same sort of attacks that the search engine laid at the door of Chinese hackers.

Those attacks just duped victims into entering their username and password on a fake Gmail login screen.

Adobe updated the Windows, Mac OS X and Linux versions of Flash Player on Sunday. A patch for the Android edition will be released sometime this week.

Google, which bundles Flash Player with Chrome, also updated its browser on Sunday.

Adobe said it wasn’t sure whether its popular Reader could be vulnerable to something similar but it is investigating that too. However, there is nothing urgent in that, as it has not been exploited yet.

In any event Reader will be patched in a June 14 update to fix other flaws the company has previously acknowledged in authplay.dll.