Does anyone know if a Flash web application has access to local hard drive? What about OS information or hardware information?
If I allow webcam and microphone access, how much information can it get about hardware, OS and computer?
I'm asking because I'm worried how much information can 3rd party sites gather when I allow running flash applications. Especially if you allow microphone/camera access (such as chat roulette).
To answer your question, there are a number of elements that I will try to discuss as briefly as possible in order to have a better grasp of the whole issue. Note that I exclude totally any Adobe Flash vulnerabilities that may be a threat to the user's privacy as it is not what you are asking about.
You need to look to the Capabilities class and see what information it can get from your operating system and hardware. For instance, the cpuArchitecture property specifies the current CPU architecture. The cpuArchitecture property can return the following strings: "PowerPC", "x86", "SPARC", and "ARM". The server string is ARCH. while the os property specifies the current operating system.
Note: This paragraph does respond to the question whether such data may be sent using a Flash web application over Internet or not. That will be discussed later on.
A Flash web application is any SWF/FLV content that can vary from a video you want to view on your browser to a full fledged and complex application where Flash plays a very important role such as in sharedtalk.com
The problem with running Flash web application (apart from the Flash vulnerabilities that you are not addressing here) resides in what we call local shared objects (LSOs) better known as Flash cookies. Flash cookies are relatively unknown (Schneier on Security: Flash Cookies).
While an HTTP stores only around 4KB of data, a Flash cookie contains up to 100KB data (ActionScript3.0 Cookbook). You can even enhance the storage capacity of a Flash cookie at your will. A Flash cookie is not stored in a file within the browser space but in a separate Adobe file with a .sol file extension: this means the browser has no control over Flash cookies and when you clear your browser's cookies, Flash cookies are still there on your computer (but there are tools to delete them).
For HTTP cookies where contents are determined by the specific website that created that cookie. Contents vary from site to site. This applies for Flash cookies.
The Flash cookie is used generally to save user's settings (for example when you watch a video on Youtube and change the dimensions of the video screen: the dimensions are stored in the Flash cookie).
Flash cookies contain the information that may be hold in an HTTP cookie and much more except the field related to expiration date: Flash cookies do not have an expiration date by default as it is the case with HTTP cookies (where the common practice of companies' websites set it usually set to 30 days); and one of the reasons for this is because when companies tracking users noticed that lot of users clear their cookies at least once per month lead to overestimate the number of true unique visitors to websites, and thus to the overpayment for advertising companies (The Impact of Cookie Deletion on the Accuracy of Site- Server and Ad-Server Metric s: An Empirical Comscore Study).
But what is worse, is that a Flash cookie may recreate HTTP cookies you previously deleted (respawning cookie, persistent identification element)
Note that the less aggressibe LSO contains the globally unique identifier that identifies your computer for the web application that tracks you.
Hardware acceleration is when you have hardware designed to accelerate a specific function. So, for example, when you decode or encode video you do it on the CPU. Some video cards allow you to do this on their GPU instead, so you now have "hardware accelerated video decoding". (What does “hardware acceleration” refer to?). Flash hardware acceleration is a hardware acceleration for Flash (Performance or display issues with certain Flash videos). In most browsers this feature is disabled by default, but activating it to better visualize a given web Flash application exposes you to reveal more information about your hardware. But why to mention this? Because such information is stored in LSOs.
I prefer to quote you this directly from the official documentation (Flash player help)
Note that it is the person or company that has created the application you are using that is requesting such access, not Adobe (unless Adobe has created the application that wants to save the information). It is the responsibility of the person or company requesting access to make it clear to you why they want access and how they plan to use the information they save. You should be aware of the privacy policy of anyone who is requesting access to your computer. For example, see the Adobe privacy policy. Contact the website requesting access for information on their privacy policy.
Also, one important thing to read from that documentation:
(Flash Player 8 and later) If you have downloaded SWF or FLV content to your computer, a dialog box might appear alerting you that the content is trying to communicate with the Internet. Flash Player 8 and later versions do not allow the local SWF or FLV content to communicate with the Internet, by default.
And since it is possible to retrieve both OS and hardware information using the Capibilities class described in the first point, and a Flash web application may require, under your permission as you can read from the same last link, more than 100KB, and if the web application is nefarious the definite answer to your question is that it is likely, I mean possible, to happen especially with a misinformed user about security issues.
A properly secured flash app (that is none of the common exploits) which is included in a web page you got from remote system is contained in a sandbox and has no access to the system except for some limited place where it can write and read its own data. It can also interact with script on the local page, make network connections to exchange data etc. If you allow access to camera and microphone of course everything is possible which can be reached by these devices, i.e. it can listen to your talks, see if somebody is lying at the sofa (if the camera points in this direction) etc. But it cannot use the access to the camera to override important system files - at least as long as you consider the flash plugin itself to be secure.
