Originally posted at: http://tech.nocr.at/hacking-security/nmap-127-0-0-1-flash-style

A design flaw found in ActionScript (Flash) has been allowed the scanning hosts via trial and error. Whenever a port is queried by Flash that isn’t open, it responds with a “SecurityErrotEvent” instantly. But, when a port is open, it doesn’t get that response for an extended period of time, while it waits for a reply to “policy-file-request”. PoC can be viewed at the below address. Now the question is: What ELSE can you do with this information once you have this ability. I’ll leave that up to the color of your hat.

http://scan.flashsec.org/