The Unity Web Player plugin has a vulnerability which allows a malicious Unity application to bypass normal cross-domain policies and access any website with credentials of the current user.
For example, the application could download the target user’s private messages from Gmail or Facebook and quietly pass them to the attacker.
When running on Internet Explorer, it’s also possible to read local files from the target user’s hard disk.
The attack can be carried out when the target user views a web page containing the attacker-crafted Unity app. Depending on the web browser and its version, the plugin may or may not start directly without confirmation.
Unity Web Player is a fairly popular plugin. In 2013 the company estimated the number of installs as over 200 million.
The vulnerability was found by Jouko Pynnönen of Klikki Oy, Finland.
