Facebook and MySpace Backdoors Found, Fixed

jamie writes with news of a Facebook app developer who found a significant security hole while he was trying to get around function limitations for his application. Quoting: "Luckily — just with browser AJAX requests — a flash application hosted on domain X is unable to open a file on domain Y. If this would be possible, domain X [would be] able to access content on domain Y, and when the user is logged in on domain Y retrieve and post back any personal data. In certain cases this could limit a Flash application's capabilities. ... To resolve such issues, Adobe (Flash's developers) introduced a 'crossdomain.xml' file which could allow certain domains to access another domain, leading to cross-domain access by certain or all domains. While indeed Facebook locked the front door from any non-Facebook domain access via Flash, a simple subdomain change allowed any flash application (domain="*") to access its domain data." He found a similar problem in MySpace's crossdomain.xml. Both sites were notified, and they have implemented fixes.

Huh.

[Velorium]

I wonder how many people figured this out and didn't report it.

Re:Huh.

[girlintraining]

I wonder how many people figured this out and didn't report it.

They didn't need to figure it out... Facebook lets people suck all that data out by making a game about vampires, pirates, farming, or god only knows whatever else is out there. Why go through the back door when the front door is already open and a welcome mat thrown out?

Re:

[Monkeedude1212]

Exactly. If you are in the business of stealing a persons data you're probably a hacker. If you're a hacker you probably know some programming. If you know some programming you can throw together a Facebook game over the course of a weekend.

Then once 3 million people use your App - you can access their data. ...

Have they fixed that yet? They've been aware of THAT problem for months.

Re:

[Aladrin]

Game!? Hah! Throw together a 'quiz' and you'll have them signing up in droves. It's ridiculous.

As for as 'over the course of a weekend', I can attest to that. I managed to get Zend Framework to authenticate with Facebook and write the basic structure of a game in a weekend, while I was watching tv, playing games, reading both english and japanese, and I'm pretty sure I went out to see a movie, too. It's ridiculously easy to write something for Facebook.

Re:

[Anonymous Coward]

araadarin san ha nihongo no hon o yomimasu ka? dou deshita ka?

Re:

[commodoresloat]

I think "Tom" knew about it but he didn't tell anybody. Who knows, though; that guy is friends with everyone.

McCroskey

[Captain Splendid]

Looks like I picked the wrong week to deactivate my FB account.

Re:

[natehoy]

Surely you can't be serious?

Damnit, people, can you see the problem here?

[Tetsujin]

Surely you can't be serious?

I am. And don't call me Shirley.

People, do you not see the basic problem with using this joke in written format? Without a doubt this is a serious flaw in the English language: we are unable to use the "Don't call me Shirley" joke in written form because, while the words "Shirley" and "surely" are homonyms, the spelling is clearly different...

Ai propoz a simpl fix for this problem: Inglish speekurz shood standardaiz on a striktly phonetik sistem ov speling wurdz. Thas, thi standard "Shirley" jok wud bi exekyutid thus:
"Shirly yu kant bi

Re:

[mcgrew]

Inglish speekurz shood standardaiz on a striktly phonetik sistem ov speling wurdz

Ok, is it spelled "kaw" (New England), Kower (south) Kore (midwest), Kwa (Nwoo Yawk)?

Is it window, winder, or windah?

And you spelled "uv" rong. See how this is such an incredibly BAD idea?

Re:

[Tetsujin]

Inglish speekurz shood standardaiz on a striktly phonetik sistem ov speling wurdz

Ok, is it spelled "kaw" (New England), Kower (south) Kore (midwest), Kwa (Nwoo Yawk)?

Is it window, winder, or windah?

And you spelled "uv" rong. See how this is such an incredibly BAD idea?

I did not spell "uv" wrong. The five vowels:

A E I O U

Take the following sounds:

Ah Eh EE Oh OO

This is in accordance with the usage of the vowels in other European languages, such as Spanish or Italian. Thus, the word "of" would be spelled "ov". "uv" would rhyme with "move"

Admittedly, some work would need to be done to refine the phonetic spelling system and to promote adoption and education of the new system. I figure in a generation or two we might be able to iron out these regional differences. Of cou

Re:

[clone53421]

No, because then how do you distinguish between the sounds in "of" and "over"?

Ah = [a]fter = aftr
Eh = [e]ffort = efert
EE = [e]ven = iven
Oh = [o]ver = ovr
OO = wh[o] = hu

but you still haven't covered several other vowel sounds:

AA = [a]pe
Ih = [i]gloo
II = [i]vory, [ey]es
Uh = [o]f, [a]ffect, [u]nder

Re:

[Tetsujin]

No, because then how do you distinguish between the sounds in "of" and "over"?

Long and short "o" sounds...

of = "ov"
over = "ouvr"

If we wanted to get really fancy we could introduce the schwa into the spelling system (to be more realistic for a moment - in reality a mad crusade to reform spelling would probably just adopt an existing, rigorous system of phonetics... I'm just working with basic latin characters 'cause it's easy for the purposes of this discussion...) but really, it's just as easy to leave it out.

but you still haven't covered several other vowel sounds:

AA = [a]pe
Ih = [i]gloo
II = [i]vory, [ey]es
Uh = [o]f, [a]ffect, [u]nder

Simple enough.

ape = "eip" (long "e" sound, terminating in "p")
igloo = "ig

Re:

[clone53421]

of = "ov"
over = "ouvr"

If the "o" makes the same sound in "ouvr" as it does in "ov", then "ouvr" is next-to-impossible to pronounce (not to mention doesn't sound like it's supposed to).

If this is a phonetic system, the "o" has to always make the same sound.

Re:

[Tetsujin]

of = "ov"
over = "ouvr"

If the "o" makes the same sound in "ouvr" as it does in "ov", then "ouvr" is next-to-impossible to pronounce (not to mention doesn't sound like it's supposed to).

If this is a phonetic system, the "o" has to always make the same sound.

Well, in any case, "o" doesn't appear in the word "Shirley" so the prosperity of the Shirley joke in written form is unaffected.

(In retrospect, it is possible that "av" would be a better spelling of "of" - despite my earlier statement that people who use this pronunciation would be detained and forcibly re-educated under the new system...)

If you want to be really realistic about what sort of phonetic system a vastly powerful, phonetics-system-crusading mad regime would choose to force standardization of Eng

Re:

[clone53421]

Meh. No offense, but I didn't think your "Shirley" joke was funny in the first place. It works just fine in written form because everyone knows it already and it got its humour from the original, not the written version.

Add-Homonym attack!

[Tetsujin]

Meh. No offense, but I didn't think your "Shirley" joke was funny in the first place. It works just fine in written form because everyone knows it already and it got its humour from the original, not the written version.

No offense taken. Anybody who's gonna take a crack at being funny has to be willing to accept that sometimes it doesn't work out. :) I'm only funny sometimes - I can live with that.

Personally I don't think homonym-based jokes work at all well in text... By their nature they rely on ambiguity that doesn't exist in text. Sometimes it's a real drag, 'cause I like those kinds of jokes.

Re:

[clone53421]

Anybody who's gonna take a crack at being funny has to be willing to accept that sometimes it doesn't work out.

As someone who has both gotten funny mods on posts that weren't intended to be funny, and gotten Anonymous Coward posts up-modded to +5 Funny when I thought they'd be a little too trollish/flamebaitish to risk posting as myself (that sucks, btw), I must say I understand and agree.

Re:

[mcgrew]

I did not spell "uv" wrong. The five vowels:

A E I O U

Take the following sounds:

Ah Eh EE Oh OO

This is in accordance with the usage of the vowels in other European languages, such as Spanish or Italian. Thus, the word "of" would be spelled "ov". "uv" would rhyme with "move"

Then spell "duh" using Spanish phonetics. You're arguing against your own point.

I figure in a generation or two we might be able to iron out these regional differences

We've had radio for a hundred years and TV for almost eighty. If you were

Re:

[Tetsujin]

Then spell "duh" using Spanish phonetics.

duh = "da" - or maybe just "d"

I'll admit that's not perfect. I believe this is a sound that would phonetically be marked with a "schwa". There are rigorous phonetics systems that do exist and can cover cases like this - for the purposes of outlining the proposed campaign to secure the prosperity of the written form of the "Shirley" joke (on a system that doesn't support Unicode) I've had to make do with the regular Latin character set.

I figure in a generation or two we might be able to iron out these regional differences

We've had radio for a hundred years and TV for almost eighty. If you were right we'd already have gotten rid of regional and cultural differences.

Well, no, because we haven't made a concerted effort (paired with viole

Re:

[pwfffff]

It wasn't a joke, it was a popular culture reference. I'd imagine that you're neither popular nor cultured; that would explain your total failure to 'get it'.

Re:

[roguetrick]

Yes, Airplane! is for the fine cultured palate. The comment wasn't meant to be funny, it was meant as social commentary regarding new technology. Now lets all spout out some Monty Python quotes and give each other handjobs with our pinkies curled.

Re:

[Tetsujin]

It wasn't a joke, it was a popular culture reference. I'd imagine that you're neither popular nor cultured; that would explain your total failure to 'get it'.

Dude, what are you talking about?

It's a joke and a pop culture reference. I get it. I've seen "Airplane". I use this joke myself more than is really appropriate.

But every time a cherry of an opportunity for a "Don't call me Shirley" joke appears in text the opportunity is wasted by the fact that the difference in spelling pretty much kills the joke. It's as if, by the simple act of presenting the joke in written form, the entire funny part of it has been extracted and painstakingly explained at length.

T

Re:

[Tetsujin]

while the words "Shirley" and "surely" are homonyms, the spelling is clearly different

Thus, they are homophones, not homonyms.

Aw, damn it, you're right... I am embarrassed to have gotten that wrong. That pretty much ruins the "Add homonym attack" joke, too...

Re:

[tenton]

The one where people have actually watched the movie "Airplane!"

Re:

[megamerican]

Looks like I picked the wrong week to deactivate my FB account.

Why? I've been on facebook since late 2004 and have never used a single app. You'd have been perfectly safe if you never used them or only used ones which you absolutely trusted.

Re:

[Itninja]

Wow...that's like the year FB started...back when it was The Facebook. Yet you have a 7 digit /. ID. Not sure what how much geekcred that averages out to.

Re:McCroskey

[darthflo]

Curiously few people seem to have gotten that. I've got an account named "John Doe" to try 'em out and another one which I add people I know to. Funnily, John Doe has several hundred friends already, despite not actually existing.

Re:McCroskey

[natehoy]

If I understand it, I have significant access to my friends' data on Facebook. When *I* sign up for an account, the app not only has access to my data, but any and all data I have access to. So you might not have given access to your data, but a friend might.

Plus, doesn't Facebook use Flash on a few of their ads? With the old crossdomain setting, Facebook's advertisers could also have gained access to your data.

Don't post anything on Facebook you aren't comfortable telling your friends, your boss, your wife, or any random stranger.

Re:

[CannonballHead]

Don't post anything on Facebook you aren't comfortable telling your friends, your boss, your wife, or any random stranger.

It's sad you have to tell people this.

It's like putting up fliers on telephone poles and signing your name (and picture) with it. And then asking how people found out.

Re:

[ThatsNotPudding]

Don't post anything on Facebook.

Fixed it for you.

Re:

[0100010001010011]

Facebook has nearly the equivalent of ACLs. Learn to use the groups and privacy functions. You can put people into groups and then give groups, or individual people access (or block access) to nearly any aspect of the site. (And I'm guessing by extension Apps that those people use).

Right now everything is locked down to the point that NO ONE can see anything by default. You can't even search me by name because I don't 'exist'. No pictures, no information, nothing.

I have "Family", "Friends", "Acquaintances"

Re:

[natehoy]

So if someone in your "Family" group wants to find out what kind of left-handed vampire they are, then the app they are running has the same access to your profile that they do.

That's the problem. You might trust the person, but they are running apps that might not be as trustworthy, and those apps adopt their Facebook authority to run.

At least that's how I understand it.

Well?

[commodoresloat]

Get to the point, man. What kind of left-handed vampire are they?

Re:

[wiz31337]

I agree, unfortunately there are a lot of people that don't realize this and will click on any and every cool looking app out there.

However, even if your Facebook account is compromised people need to realize that they should only be putting information on their page that they want the whole world to see. If people would just ask themselves one question "Am I ok with my [boss, wife, mom, complete stranger] knowing this" before posting a lot of issues could be avoided.

Re:

[bi_boy]

The problem is if any of your friends used an app or took quiz that means all of your information was compromised also.

Re:

[rickb928]

Maybe someone can help you with that? Whether you know it or not?

Deactivation

[andytgeezer]

There's never a wrong week to deactivate your facebook account....

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[maxume]

Well, it is an achievement, much in the same way that not eating a bucket of KFC everyday is an achievement

Re:

[tibman]

There are actually accomplished non-asshole, intelligent, and fair-minded people here on slashdot. Somewhere... hidden among all the assholes.. probably..

Also, you are dead wrong :) data-mining anyone and everyone seems to be a very popular thing, whether you think the people are important or not.

Re:

[Nerdfest]

There are actually accomplished non-asshole, intelligent, and fair-minded people here on slashdot.

Those would be the zealots.

Re:

[tibman]

Zealot isn't like a class you pick when you signup for slashdot... though maybe a class system would clear the air a bit

Just saying! hah.

Re:

[Nerdfest]

That my friend, is an excellent idea. You could even earn levels.

Re:

[colesw]

And also earn Achievements!

Re:

[Dragonslicer]

Zealot isn't like a class you pick when you signup for slashdot...

Yeah, you have to spend at least a couple months as a Marine or Zergling first.

Re:

[TheRaven64]

I think you might be projecting a bit there. Lots of us have offline lives too. I don't have an account on any social networking sites either. I set up a mailing list for my friends to use to organise social activities. It's trivial for them to use: just send a mail to the address and everyone else gets it. Even the least technical of them can manage that, while a few of them have problems with Facebook. I don't get the shared online photo album stuff, but people show me photos at parties instead so I

Re:

[Fast Thick Pants]

You aren't important enough for anyone to want your information.

Incorrect if...

• you have a bank account with cash
• you have a credit card or decent credit
• you've pissed off someone who's tech-savvy, or who'll hire a tech-savvy private investigator
• you have an attractive cousin
• cetera...

Re:

[Arthur Grumbine]

I'm guessing those mods are the kind of folks who are very sensitive about the how many "friends" they have on social network sites, and don't like anyone raining on their parade - consequently supporting anyone who lashes out at people who don't need the constant sense of validation that social networks bring.

Re:

[Dhalka226]

Let's face it, you're on Slashdot. You're either an asshole, a moron, or a zealot.

The irony abounds.

Re:

[MrPhilby]

I find it hard to choose

Re:

[imakemusic]

I feel it as a personal accomplishment I *dont* have social network accounts on Facebook, Myspace and alike.

Well, you say that but we all know it's because you don't have any friends.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Dragonslicer]

It's so I don't have to be like you and brag about your mega-uber friend list which is solely derived off your MySpace hit counter.

Instead you can brag about how you're too good to have an account on any such sites.

I think The Onion needs to do a follow-up to the feature article about the man who doesn't have cable television.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[mcgrew]

Hey, you're right! [slashdot.org] He does have one fan, [slashdot.org] though.

Re:

[Culture20]

I feel it as a personal accomplishment I *dont* have social network accounts on Facebook, Myspace and alike.

Wait, so that's a fake you on FB whose last status update was "I <3 my little ponies"? I can't be your friend any more. I like the FB you better.

Re:

[tibman]

I will agree with you that it's a small accomplishment to not have a social networking account anywhere. Mostly because everyone goes "sign up so we can do X together" or "sign up so we can be 'in a relationship' together" or whatever other viral method of spreading is popular today.

I still have an LJ account from around the time i first signed up at slashdot. *sigh* yes! i know that is a blog.. and yes i know that blogs aren't cool anymore. But what i discovered is that when it became uncool.. suddenly

Re:

[JonJ]

"sign up so we can be 'in a relationship' together"

Be in a what together? Does this require that I leave my basement? In that case, no thanks!

Re:

[gazbo]

This story's about accessing private data in the first place, not sending the data once accessed.

Re:

[Velorium]

That's an interesting thought. Throw Digsby into the mix too, as they had a patch just the other day to fix facebook chat.

Re:

[F-3582]

They just got updated with a fix for that issue.

How much did paypal pay for that domain?

[OCURServant]

God damn paypal! Always messing things up

Damn

[kenp2002]

There went my plan for consulting for HR departments by checking Facebook and Myspace profiles. Guess I am stuck snooping Slashdot accounts and news sites for $10 a person.

Re:

[MillionthMonkey]

Ask the guy if you can buy (share) his identity so you can take the MySpace job offer while he takes the one from Facebook.

Maybe YOU can be the one at Facebook instead, if you offer enough cash, but they might be better able to figure out who you are.

Facebook is a buggy mess

[WankersRevenge]

It amazes me that facebook rose to prominence in the way it did. Out of all the sites I have ever used, Facebook is the worst when it comes to bugs. It simply floors me at how much bad code is pushed out to production servers or how many things break on a daily basis. I'm not talking simple copy bugs, but full on showstopping bugs. At one point, I was filing bug reports to them on a daily basis. If there is any qa department, it is incredibly lax. I'm guessing it's just a couple of interns sniffing for a gig. The only reason I'm using facebook is to grow my zombie blog, and once I reach a point where my traffic isn't dependent on that site, I'm dropping them like a friggin rock. And it will be a glorious day indeed.

Re:

[Chameleon Man]

This interview [youtube.com] gives a brief glimpse as to how Facebook's office dynamic is like. Surprised they get anything done.

Re:

[mcgrew]

Out of all the sites I have ever used, Facebook is the worst when it comes to bugs.

I see you've never been to slashdot.

Re:

[Dragonslicer]

Out of all the sites I have ever used, Facebook is the worst when it comes to bugs.

All three of them?

Re:

[stephanruby]

Out of all the sites I have ever used, Facebook is the worst when it comes to bugs.

I'm guessing you've never used friendster, myspace, or slashdot.

Re:

[commodoresloat]

The only reason I'm using facebook is to grow my zombie blog....

There was once a day you just didn't hear sentences like this.

Now if only Adobe would...

[Dracos]

Remove Flash's ability for cross-domain cookies. Browser plugins should use the browser's cookie storage, IMO.

Re:

[EkriirkE]

For the lazy... http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html [macromedia.com]

I'm wondering...

[clone53421]

What about the backdoor that lets you find someone's picture album and their profile if you have the filename of one of their pictures from the album (say, someone dragged the picture into a folder, and then e-mailed it or posted it on a message board, thinking that since they're not posting a link to the facebook photo they're anonymous)?

Will they ever fix that?

Re:

[clone53421]

It also allows you to see all the other photos in that album, even if the album isn't publicly accessible.

Re:

[clone53421]

Regarding sanitizing the metadata, it's not apparent from just glancing at the filename that it contains this information. You have to know, and most people don't.

It could be relatively easily fixed, too... just use a script to generate the data and pass it in the path name, not the filename. E.g. /image.php/123/456/789/arbitraryfilename.jpg. "arbitraryfilename" can be anything you want it to be, so long as image.php knows to ignore it.

Facebook Spam

[pipingguy]

Yeah, I'm a lamer, I have a FaceBook account.

Am I the only one who's been getting a shitload of FaceBook spam recently?

Thank god

[OricAtmos48K]

I am happy to hear that the patch is out in action otherwise WOULD YOU LIKE TO ENLARGE YOUR P**IS ?

have I understood correctly?

[dropadrop]

So did I get this correctly...

I have a crossdomain.xml file on my website a.com with a very lax policy (allow *). This means that pretty much any flash file I open from any other site can access a.com and see (or copy) data with my permissions? If I have auto-login enabled (as in the facebook example) it can log in with my cookies and collect the data without the site being open, and if my site does not feature auto login it can still access the data given I have an open session?

Premium White Pro

[ronnny]

Facebook is no comparison to myspace . Myspace is different zone of siti Premium White Pro [ezinearticles.com]