Macromedia flash supplies user-tracking field to swf (flash movies) ads:
"The clickTAG is the tracking code assigned by the ad serving network to an individual ad. The clickTAG allows the network to register where the ad was displayed when it was clicked on. This click through data is reported to the ad serving servers so advertisers may determine the effectiveness of their campaign.
The code below will allow ad serving networks to dynamically assign a clickTAG to their ad.
In this example, a getURL action is being assigned to a button that will navigate the browser to ["clickTAG"]. The "getURL(clickTAG)" statement appends the variable data passed in via the OBJECT EMBED tag and navigates the browser to that location. It is the tracking code assigned by the ad serving network, which allows them to register a user's click on that advertisement.
For example in the following script:
("XXXX" = arbitrary script or tag)
Replacing "XXXX" with a script to steal cookies will enable an attacker to perform session hijacking if the session is saved in the cookie, or to gain the private information present in ad tracking cookies.
To prevent session-hijacking, it is recommended to configure the flash ads to run on a separate sub-domain. This will prevent session hijacking, although it will not prevent privacy leaks pertaining to the advertising cookie.
"A new player version is NOT required. Macromedia Flash advertisements that accept clickTAGs need to validate that the clickTAG URL begins with "http:". This helps ensure the clickTAG does not contain malicious code."
Quote from the official Macromedia security advisory.
We recommend that all user input should be filtered for malicious code and characters and never trusted "as-is".
Mitre has assigned CAN-2003-0208 to this vulnerability.
Macromedia has also revised the Designer's Guide and added this note: