Facebook and MySpace Backdoors Found, Fixed 106
jamie writes with news of a Facebook app developer who found a significant security hole while he was trying to get around function limitations for his application. Quoting:
"Luckily — just with browser AJAX requests — a flash application hosted on domain X is unable to open a file on domain Y. If this would be possible, domain X [would be] able to access content on domain Y, and when the user is logged in on domain Y retrieve and post back any personal data. In certain cases this could limit a Flash application's capabilities. ... To resolve such issues, Adobe (Flash's developers) introduced a 'crossdomain.xml' file which could allow certain domains to access another domain, leading to cross-domain access by certain or all domains. While indeed Facebook locked the front door from any non-Facebook domain access via Flash, a simple subdomain change allowed any flash application (domain="*") to access its domain data."
He found a similar problem in MySpace's crossdomain.xml. Both sites were notified, and they have implemented fixes.
Re:Huh. (Score:5, Informative)
I wonder how many people figured this out and didn't report it.
They didn't need to figure it out... Facebook lets people suck all that data out by making a game about vampires, pirates, farming, or god only knows whatever else is out there. Why go through the back door when the front door is already open and a welcome mat thrown out?
Re:McCroskey (Score:3, Informative)
So if someone in your "Family" group wants to find out what kind of left-handed vampire they are, then the app they are running has the same access to your profile that they do.
That's the problem. You might trust the person, but they are running apps that might not be as trustworthy, and those apps adopt their Facebook authority to run.
At least that's how I understand it.