Flash Content-Type Sniffing Vulnerability

Hello, There's a **Flash Content-Type Sniffing vulnerability**. Using this vulnerability I can read the client side source code of your website from a different origin (say prakharprasad.com) and then look for potentially sensitive data in those pages for example - CSRF prevention tokens and then successfully mount a side-wide CSRF attack (as I can read the token every time and on every page) or read messages. Once the victim views my page, I can read his `https://staging.uzbey.com/*` webpage source and then extract out the data I need (messages, anti-csrf tokens and what not). **Proof-of-Concept**: 1. Login to your Uzbey account 2. Visit https://demo.prakharprasad.com/uzbey/uzbey.html (and wait for 5 -10 seconds) 3. Now visit https://staging.uzbey.com/messages and you'll see a message has been sent to *admin* saying *DemoHAX :)* **How this works?** 1. My webpage loads an `<iframe>` pointing to https://demo.prakharprasad.com/uzbey/sniff.html 2. `sniff.html` essentially embeds an SWF-file that has been uploaded to my (attacker's) photo gallery with **.jpg** extension - https://staging.uzbey.com/sites/default/files/magic.jpg 3. Once the embedded file run, it sends a **GET** request to `https://staging.uzbey.com/messages/new`and passes the callback to a function called `nice()`within `sniff.html`. The callback data is the source code of the page that was requested with a **GET** earlier. 4. Now`nice()`function parses the page for `form_bulid_id`and `form_token` and then builds up a form to mount the CSRF attack and then submits the form with a **POST** request. 5. **Game over ! :)** Basically I used the upload functionality to upload the malicious SWF with **.jpg** extension and then loaded it in an iframe and did my work! Thanks, @prakharprasad