Facebook and MySpace Backdoors Found, Fixed

jamie writes with news of a Facebook app developer who found a significant security hole while he was trying to get around function limitations for his application. Quoting: "Luckily — just with browser AJAX requests — a flash application hosted on domain X is unable to open a file on domain Y. If this would be possible, domain X [would be] able to access content on domain Y, and when the user is logged in on domain Y retrieve and post back any personal data. In certain cases this could limit a Flash application's capabilities. ... To resolve such issues, Adobe (Flash's developers) introduced a 'crossdomain.xml' file which could allow certain domains to access another domain, leading to cross-domain access by certain or all domains. While indeed Facebook locked the front door from any non-Facebook domain access via Flash, a simple subdomain change allowed any flash application (domain="*") to access its domain data." He found a similar problem in MySpace's crossdomain.xml. Both sites were notified, and they have implemented fixes.

Huh.

[Velorium]

I wonder how many people figured this out and didn't report it.

Re:McCroskey

[natehoy]

If I understand it, I have significant access to my friends' data on Facebook. When *I* sign up for an account, the app not only has access to my data, but any and all data I have access to. So you might not have given access to your data, but a friend might.

Plus, doesn't Facebook use Flash on a few of their ads? With the old crossdomain setting, Facebook's advertisers could also have gained access to your data.

Don't post anything on Facebook you aren't comfortable telling your friends, your boss, your wife, or any random stranger.

Re:Blunderware...

[maxume]

Well, it is an achievement, much in the same way that not eating a bucket of KFC everyday is an achievement

Re:Blunderware...

[Anonymous Coward]

I feel it as a personal accomplishment I *dont* have social network accounts on Facebook, Myspace and alike.

I hate to break this to you.... wait, actually I rather enjoy it. I was just trying to be polite. Let's face it, you're on Slashdot. You're either an asshole, a moron, or a zealot. Possibly even a combination of all 3. People in real life don't want to associate with you, much less be your friend in a social network. Let's also be clear about something here. You aren't important enough for anyone to want your information. That's just the way it is. There is no reason for you to feel accomplished in not having an account. Nothing you have actually matters to anyone except you.

Facebook is a buggy mess

[WankersRevenge]

It amazes me that facebook rose to prominence in the way it did. Out of all the sites I have ever used, Facebook is the worst when it comes to bugs. It simply floors me at how much bad code is pushed out to production servers or how many things break on a daily basis. I'm not talking simple copy bugs, but full on showstopping bugs. At one point, I was filing bug reports to them on a daily basis. If there is any qa department, it is incredibly lax. I'm guessing it's just a couple of interns sniffing for a gig. The only reason I'm using facebook is to grow my zombie blog, and once I reach a point where my traffic isn't dependent on that site, I'm dropping them like a friggin rock. And it will be a glorious day indeed.