While I was on vacation this week, Akamai released the following:
Earlier today (Aug 6, 2015) at the Black Hat Security Conference in Las Vegas, Bishop Fox, a security research and penetration testing firm, announced the discovery of a vulnerability that allows an outside actor to conduct a cross-site request forgery (CSRF)/Server-Side Request Forgery (SSRF) attack using a combination of exploits. This vulnerability relied on the Akamai platform in two ways: specially-crafted legacy resource locators (also called v1 ARLs) in combination with specific versions of Flow Player.
Ahead of this announcement, Akamai closed the specific vulnerability described by disabling the use of v1 ARLs to go forward to mediapm.edgesuite.net. In addition, Akamai has made changes to protect customers using the related "Multi-Domain Config" feature, and continues to make security improvements surrounding other uses of v1 ARLs on our platform.
The researchers that discovered this vulnerability, Mike Brooks and Matthew Bryant, coordinated closely with Akamai to identify exposed domains ahead of time. They were extraordinarily gracious and helpful during the disclosure process, and we greatly appreciated working with them. Thanks to their cooperation, Akamai is already communicating with customers it believes have been exposed to this vulnerability, informing them of remediation plans. We currently have no evidence that indicates that this CSRF was used in a malicious fashion.
If you have any other questions regarding this vulnerability, please join the conversation and comment below. Alternatively, please contact your Akamai Representative directly.