Facebook ditches Flash videos to boost security

Facebook has ditched insecure Flash in favour of HTML5 for all its videos but will still use Flash in games, and is working with Adobe to secure technology.

Facebook ditches Flash videos to boost security
Facebook ditches Flash videos to boost security

Facebook has become the latest in a line of firms that has ditched insecure Flash in favour of HTML5 for all its videos. However, the social network will continue to use the technology in games on the website and said it would work with Adobe, the firm behind Flash, to improve reliability and security.

“We recently switched to HTML5 from a Flash-based video player for all Facebook web video surfaces, including videos in News Feed, on Pages, and in the Facebook embedded video player,” the company said in a blog post.

“We are continuing to work together with Adobe to deliver a reliable and secure Flash experience for games on our platform, but have shipped the change for video to all browsers by default,” it added.

Flash has been criticised by infosec experts over the last few years as hackers regularly make use of flaws in the technology to gain access to users' systems and organisations' infrastructure via browser-based attacks and zero-day exploits.

HTML5 ditches any plug-in method in favour of using technology within modern browsers to display content; this closes a common attack vector. However, Facebook has delayed making the move because of variations in the way some browsers implement the technology. Also, as HTML5 updates happen when the browser updates, it is far more likely to get patched up against attacks than Flash.

Among other firms switching away from Flash are Netflix (which is working on an HTML5-based video player), Twitch (which plans a move in the second quarter of 2016) and Amazon (which is dropping Flash from advertising). YouTube switched to a HTML5 based player in January 2015.

Steven Mills of PMC Telecom, told SCMagazineUK.com that the risk posed by Flash mainly affects the user-side.

“Browsers loading, for example, a flash-based game, are to an extent susceptible to malware attacks,” he said. “Remember pretty much everybody uses Facebook – unfortunately not everybody has reasonable security in place on their Laptops/PCs.  Switching to HTML5 from flash completely rules out one type of threat to Facebook users.”

Mills added that keeping Flash for games completely undermines the security benefits of switching to HTML5, as any page with Flash could still technically infect a user with malware.

“That being said, there are now fewer pages on Facebook loading up Flash, and this is certainly a step in the right direction. Rome wasn't built in a day and iPhone didn't even “have” Flash for many years due to security, performance, and developer reasons.”

Chris Boyd, malware intelligence analyst at Malwarebytes, told SCMagazineUK.com that the move is welcome but Facebook users should still be cautious around downloads offered up as games where Flash is concerned.

“Fake Flash downloads and imitation Facebook pages have been a problem for many years, and they'll be around for many years to come,” he warned.

Tim Erlin, director of security and product management at Tripwire, told SCMagazineUK.com that with  an appropriate response, Sanrio is unlikely to experience significant damage from this incident. “Companies that plan for a breach, and design a response ahead of time, can mitigate the most serious possible impacts and reduce the cost of the breach.”

Mark James, security specialist at IT security firm ESET, told SCMagazineUK.com that firms need to understand that all data has a value especially information about minors.

“I know it's easy to state that an adult must help you sign up and a minimum age is required to use your services but when has that ever stopped someone? Yes, we are responsible for our children, but you are also responsible for doing as much as you possibly can to protect that data if you're going to request and store it electronically,” he said.