Forgot your password?
typodupeerror
Bug Security Social Networks

Facebook and MySpace Backdoors Found, Fixed 106

Posted by Soulskill
from the oh-adobe-you-card dept.
jamie writes with news of a Facebook app developer who found a significant security hole while he was trying to get around function limitations for his application. Quoting: "Luckily — just with browser AJAX requests — a flash application hosted on domain X is unable to open a file on domain Y. If this would be possible, domain X [would be] able to access content on domain Y, and when the user is logged in on domain Y retrieve and post back any personal data. In certain cases this could limit a Flash application's capabilities. ... To resolve such issues, Adobe (Flash's developers) introduced a 'crossdomain.xml' file which could allow certain domains to access another domain, leading to cross-domain access by certain or all domains. While indeed Facebook locked the front door from any non-Facebook domain access via Flash, a simple subdomain change allowed any flash application (domain="*") to access its domain data." He found a similar problem in MySpace's crossdomain.xml. Both sites were notified, and they have implemented fixes.
This discussion has been archived. No new comments can be posted.

Facebook and MySpace Backdoors Found, Fixed

Comments Filter:
  • Huh. (Score:5, Insightful)

    by Velorium (1068080) on Thursday November 05, 2009 @12:35PM (#29996036)
    I wonder how many people figured this out and didn't report it.
    • Re:Huh. (Score:5, Informative)

      by girlintraining (1395911) on Thursday November 05, 2009 @12:50PM (#29996242)

      I wonder how many people figured this out and didn't report it.

      They didn't need to figure it out... Facebook lets people suck all that data out by making a game about vampires, pirates, farming, or god only knows whatever else is out there. Why go through the back door when the front door is already open and a welcome mat thrown out?

      • Exactly. If you are in the business of stealing a persons data you're probably a hacker. If you're a hacker you probably know some programming. If you know some programming you can throw together a Facebook game over the course of a weekend.

        Then once 3 million people use your App - you can access their data. ...

        Have they fixed that yet? They've been aware of THAT problem for months.

        • by Aladrin (926209)

          Game!? Hah! Throw together a 'quiz' and you'll have them signing up in droves. It's ridiculous.

          As for as 'over the course of a weekend', I can attest to that. I managed to get Zend Framework to authenticate with Facebook and write the basic structure of a game in a weekend, while I was watching tv, playing games, reading both english and japanese, and I'm pretty sure I went out to see a movie, too. It's ridiculously easy to write something for Facebook.

          • Re: (Score:1, Funny)

            by Anonymous Coward

            araadarin san ha nihongo no hon o yomimasu ka? dou deshita ka?

    • I think "Tom" knew about it but he didn't tell anybody. Who knows, though; that guy is friends with everyone.

  • McCroskey (Score:4, Funny)

    by Captain Splendid (673276) <capsplendid@g m a i l . com> on Thursday November 05, 2009 @12:37PM (#29996066) Homepage Journal
    Looks like I picked the wrong week to deactivate my FB account.
    • Re: (Score:3, Funny)

      by natehoy (1608657)

      Surely you can't be serious?

    • Looks like I picked the wrong week to deactivate my FB account.

      Why? I've been on facebook since late 2004 and have never used a single app. You'd have been perfectly safe if you never used them or only used ones which you absolutely trusted.

      • by Itninja (937614)
        Wow...that's like the year FB started...back when it was The Facebook. Yet you have a 7 digit /. ID. Not sure what how much geekcred that averages out to.
      • Re:McCroskey (Score:5, Interesting)

        by darthflo (1095225) * on Thursday November 05, 2009 @12:52PM (#29996262)

        Curiously few people seem to have gotten that. I've got an account named "John Doe" to try 'em out and another one which I add people I know to. Funnily, John Doe has several hundred friends already, despite not actually existing.

      • Re:McCroskey (Score:5, Insightful)

        by natehoy (1608657) on Thursday November 05, 2009 @12:53PM (#29996266) Journal

        If I understand it, I have significant access to my friends' data on Facebook. When *I* sign up for an account, the app not only has access to my data, but any and all data I have access to. So you might not have given access to your data, but a friend might.

        Plus, doesn't Facebook use Flash on a few of their ads? With the old crossdomain setting, Facebook's advertisers could also have gained access to your data.

        Don't post anything on Facebook you aren't comfortable telling your friends, your boss, your wife, or any random stranger.

        • Don't post anything on Facebook you aren't comfortable telling your friends, your boss, your wife, or any random stranger.

          It's sad you have to tell people this.

          It's like putting up fliers on telephone poles and signing your name (and picture) with it. And then asking how people found out.

        • Don't post anything on Facebook.

          Fixed it for you.

        • Facebook has nearly the equivalent of ACLs. Learn to use the groups and privacy functions. You can put people into groups and then give groups, or individual people access (or block access) to nearly any aspect of the site. (And I'm guessing by extension Apps that those people use).

          Right now everything is locked down to the point that NO ONE can see anything by default. You can't even search me by name because I don't 'exist'. No pictures, no information, nothing.

          I have "Family", "Friends", "Acquaintances"

          • Re: (Score:3, Informative)

            by natehoy (1608657)

            So if someone in your "Family" group wants to find out what kind of left-handed vampire they are, then the app they are running has the same access to your profile that they do.

            That's the problem. You might trust the person, but they are running apps that might not be as trustworthy, and those apps adopt their Facebook authority to run.

            At least that's how I understand it.

      • by wiz31337 (154231) *

        I agree, unfortunately there are a lot of people that don't realize this and will click on any and every cool looking app out there.

        However, even if your Facebook account is compromised people need to realize that they should only be putting information on their page that they want the whole world to see. If people would just ask themselves one question "Am I ok with my [boss, wife, mom, complete stranger] knowing this" before posting a lot of issues could be avoided.

      • by bi_boy (630968)
        The problem is if any of your friends used an app or took quiz that means all of your information was compromised also.
    • by rickb928 (945187)

      Maybe someone can help you with that? Whether you know it or not?

    • There's never a wrong week to deactivate your facebook account....
  • Blunderware... (Score:1, Interesting)

    by adosch (1397357)
    I feel it as a personal accomplishment I *dont* have social network accounts on Facebook, Myspace and alike. It's bad enough people openly don't care about privacy or salvaging their identity, but ITFA, this clearly lets you 0wn any account in an auto-login status. And the guy is absolutely right... what typical, non-aware user doesn't? Glad to see all those bad script-kiddie hack sites that boast breaking into social network accounts for $100 a pop will lose a bit of their income to buy Mt. Dew and oreo
    • Re: (Score:2, Insightful)

      by maxume (22995)

      Well, it is an achievement, much in the same way that not eating a bucket of KFC everyday is an achievement

    • Re: (Score:3, Funny)

      by imakemusic (1164993)

      I feel it as a personal accomplishment I *dont* have social network accounts on Facebook, Myspace and alike.

      Well, you say that but we all know it's because you don't have any friends.

      • by adosch (1397357)
        ...no, it's not anything like that. It's so I don't have to be like you and brag about your mega-uber friend list which is solely derived off your MySpace hit counter. Friends don't comein quantities, they are counted by quality. Wait until the next viral social fag-wagon hits... you'll be the next emo kid to slit your wrists b/c you don't have any more "friends".
        • It's so I don't have to be like you and brag about your mega-uber friend list which is solely derived off your MySpace hit counter.

          Instead you can brag about how you're too good to have an account on any such sites.

          I think The Onion needs to do a follow-up to the feature article about the man who doesn't have cable television.

          • by adosch (1397357)

            Instead you can brag about how you're too good to have an account on any such sites.

            ...too good? or not a passive, social parasite looking for any outlet to 'get noticed' or 'get attention'. You choose to waste your time posting to the world about what you did every 5 minutes for the last hour with your My-Twit-Face account and 'hope' your friends make time to observe it. I simply take that time and spend it with my friends.

      • by mcgrew (92797) *

        Hey, you're right! [slashdot.org] He does have one fan, [slashdot.org] though.

    • by Culture20 (968837)

      I feel it as a personal accomplishment I *dont* have social network accounts on Facebook, Myspace and alike.

      Wait, so that's a fake you on FB whose last status update was "I <3 my little ponies"? I can't be your friend any more. I like the FB you better.

    • by tibman (623933)

      I will agree with you that it's a small accomplishment to not have a social networking account anywhere. Mostly because everyone goes "sign up so we can do X together" or "sign up so we can be 'in a relationship' together" or whatever other viral method of spreading is popular today.

      I still have an LJ account from around the time i first signed up at slashdot. *sigh* yes! i know that is a blog.. and yes i know that blogs aren't cool anymore. But what i discovered is that when it became uncool.. suddenly

      • by JonJ (907502)

        "sign up so we can be 'in a relationship' together"

        Be in a what together? Does this require that I leave my basement? In that case, no thanks!

  • God damn paypal! Always messing things up
  • by kenp2002 (545495)

    There went my plan for consulting for HR departments by checking Facebook and Myspace profiles. Guess I am stuck snooping Slashdot accounts and news sites for $10 a person.

    • Ask the guy if you can buy (share) his identity so you can take the MySpace job offer while he takes the one from Facebook.

      Maybe YOU can be the one at Facebook instead, if you offer enough cash, but they might be better able to figure out who you are.
  • by WankersRevenge (452399) on Thursday November 05, 2009 @01:19PM (#29996594)
    It amazes me that facebook rose to prominence in the way it did. Out of all the sites I have ever used, Facebook is the worst when it comes to bugs. It simply floors me at how much bad code is pushed out to production servers or how many things break on a daily basis. I'm not talking simple copy bugs, but full on showstopping bugs. At one point, I was filing bug reports to them on a daily basis. If there is any qa department, it is incredibly lax. I'm guessing it's just a couple of interns sniffing for a gig. The only reason I'm using facebook is to grow my zombie blog, and once I reach a point where my traffic isn't dependent on that site, I'm dropping them like a friggin rock. And it will be a glorious day indeed.
    • This interview [youtube.com] gives a brief glimpse as to how Facebook's office dynamic is like. Surprised they get anything done.
    • by mcgrew (92797) *

      Out of all the sites I have ever used, Facebook is the worst when it comes to bugs.

      I see you've never been to slashdot.

    • Out of all the sites I have ever used, Facebook is the worst when it comes to bugs.

      All three of them?

    • Out of all the sites I have ever used, Facebook is the worst when it comes to bugs.

      I'm guessing you've never used friendster, myspace, or slashdot.

    • The only reason I'm using facebook is to grow my zombie blog....

      There was once a day you just didn't hear sentences like this.

  • Remove Flash's ability for cross-domain cookies. Browser plugins should use the browser's cookie storage, IMO.

  • What about the backdoor that lets you find someone's picture album and their profile if you have the filename of one of their pictures from the album (say, someone dragged the picture into a folder, and then e-mailed it or posted it on a message board, thinking that since they're not posting a link to the facebook photo they're anonymous)?

    Will they ever fix that?

  • Yeah, I'm a lamer, I have a FaceBook account.

    Am I the only one who's been getting a shitload of FaceBook spam recently?
  • I am happy to hear that the patch is out in action otherwise WOULD YOU LIKE TO ENLARGE YOUR P**IS ?
  • So did I get this correctly...

    I have a crossdomain.xml file on my website a.com with a very lax policy (allow *). This means that pretty much any flash file I open from any other site can access a.com and see (or copy) data with my permissions? If I have auto-login enabled (as in the facebook example) it can log in with my cookies and collect the data without the site being open, and if my site does not feature auto login it can still access the data given I have an open session?

  • Facebook is no comparison to myspace . Myspace is different zone of siti Premium White Pro [ezinearticles.com]

Parkinson's Law: Work expands to fill the time alloted it.

Working...