

Google and Yahoo’s Flash indexing is revealing… too much? - edw519
http://aralbalkan.com/1404

======
tlrobinson
This all boils down to poor practices and false assumptions by Flash
developers.

Just because it's compiled bytecode doesn't mean you can hide secrets in it,
that's security through obscurity.

And always use POSTs for actions that modify data on the server, never use
GETs for anything except requests which only retrieve data (and don't modify
anything)

~~~
jrockway
It's even simpler than that -- don't let unauthenticated users break things!
Google is not stealing someone's password to get to your site, they are just
clicking links. If that can break things, you need to fix your application!

(BTW, GET requests can have side effects in practice; a GET updates the
logfile, potentially filling your disk, for every request.)

------
radley
Great find!

In general, we don't hide secrets in Flash because it's easy to decompile. We
already knew that.

To help _real_ developers understand why this is a problem for Flash
developers: Imagine the problems you'd have if Google suddenly started to
combined your Google Code Search results with your content search results.

