Forgot your password?
typodupeerror
Bug Security Social Networks

Facebook and MySpace Backdoors Found, Fixed 106

Posted by Soulskill
from the oh-adobe-you-card dept.
jamie writes with news of a Facebook app developer who found a significant security hole while he was trying to get around function limitations for his application. Quoting: "Luckily — just with browser AJAX requests — a flash application hosted on domain X is unable to open a file on domain Y. If this would be possible, domain X [would be] able to access content on domain Y, and when the user is logged in on domain Y retrieve and post back any personal data. In certain cases this could limit a Flash application's capabilities. ... To resolve such issues, Adobe (Flash's developers) introduced a 'crossdomain.xml' file which could allow certain domains to access another domain, leading to cross-domain access by certain or all domains. While indeed Facebook locked the front door from any non-Facebook domain access via Flash, a simple subdomain change allowed any flash application (domain="*") to access its domain data." He found a similar problem in MySpace's crossdomain.xml. Both sites were notified, and they have implemented fixes.
This discussion has been archived. No new comments can be posted.

Facebook and MySpace Backdoors Found, Fixed

Comments Filter:
  • Blunderware... (Score:1, Interesting)

    by adosch (1397357) on Thursday November 05, 2009 @12:46PM (#29996184)
    I feel it as a personal accomplishment I *dont* have social network accounts on Facebook, Myspace and alike. It's bad enough people openly don't care about privacy or salvaging their identity, but ITFA, this clearly lets you 0wn any account in an auto-login status. And the guy is absolutely right... what typical, non-aware user doesn't? Glad to see all those bad script-kiddie hack sites that boast breaking into social network accounts for $100 a pop will lose a bit of their income to buy Mt. Dew and oreos due to this being publicly uncovered...
  • Re:McCroskey (Score:5, Interesting)

    by darthflo (1095225) * on Thursday November 05, 2009 @12:52PM (#29996262)

    Curiously few people seem to have gotten that. I've got an account named "John Doe" to try 'em out and another one which I add people I know to. Funnily, John Doe has several hundred friends already, despite not actually existing.

Science is to computer science as hydrodynamics is to plumbing.

Working...