Facebook and MySpace Backdoors Found, Fixed 106
jamie writes with news of a Facebook app developer who found a significant security hole while he was trying to get around function limitations for his application. Quoting:
"Luckily — just with browser AJAX requests — a flash application hosted on domain X is unable to open a file on domain Y. If this would be possible, domain X [would be] able to access content on domain Y, and when the user is logged in on domain Y retrieve and post back any personal data. In certain cases this could limit a Flash application's capabilities. ... To resolve such issues, Adobe (Flash's developers) introduced a 'crossdomain.xml' file which could allow certain domains to access another domain, leading to cross-domain access by certain or all domains. While indeed Facebook locked the front door from any non-Facebook domain access via Flash, a simple subdomain change allowed any flash application (domain="*") to access its domain data."
He found a similar problem in MySpace's crossdomain.xml. Both sites were notified, and they have implemented fixes.
Comment removed (Score:1, Interesting)
Re:McCroskey (Score:5, Interesting)
Curiously few people seem to have gotten that. I've got an account named "John Doe" to try 'em out and another one which I add people I know to. Funnily, John Doe has several hundred friends already, despite not actually existing.