Facebook and MySpace Backdoors Found, Fixed

← Back to Stories (view on slashdot.org)

Facebook and MySpace Backdoors Found, Fixed

Posted by Soulskill on Thursday November 5, 2009 @04:29AM from the oh-adobe-you-card dept.

jamie writes with news of a Facebook app developer who found a significant security hole while he was trying to get around function limitations for his application. Quoting: "Luckily — just with browser AJAX requests — a flash application hosted on domain X is unable to open a file on domain Y. If this would be possible, domain X [would be] able to access content on domain Y, and when the user is logged in on domain Y retrieve and post back any personal data. In certain cases this could limit a Flash application's capabilities. ... To resolve such issues, Adobe (Flash's developers) introduced a 'crossdomain.xml' file which could allow certain domains to access another domain, leading to cross-domain access by certain or all domains. While indeed Facebook locked the front door from any non-Facebook domain access via Flash, a simple subdomain change allowed any flash application (domain="*") to access its domain data." He found a similar problem in MySpace's crossdomain.xml. Both sites were notified, and they have implemented fixes.

6 of 106 comments (clear)

Min score:

Reason:

Sort:

McCroskey by Captain+Splendid · 2009-11-05 04:37 · Score: 3, Funny

Looks like I picked the wrong week to deactivate my FB account.

--
Linux, you magnificent bastard, I read the fucking manual!
1. Re:McCroskey by natehoy · 2009-11-05 04:45 · Score: 2, Funny
  
  Surely you can't be serious?
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
Re:Blunderware... by imakemusic · 2009-11-05 05:10 · Score: 3, Funny

I feel it as a personal accomplishment I *dont* have social network accounts on Facebook, Myspace and alike.

Well, you say that but we all know it's because you don't have any friends.

--
Brain surgery - it's not rocket science!
Damnit, people, can you see the problem here? by Tetsujin · 2009-11-05 06:23 · Score: 2, Funny

Surely you can't be serious?
I am. And don't call me Shirley.
People, do you not see the basic problem with using this joke in written format? Without a doubt this is a serious flaw in the English language: we are unable to use the "Don't call me Shirley" joke in written form because, while the words "Shirley" and "surely" are homonyms, the spelling is clearly different...
Ai propoz a simpl fix for this problem: Inglish speekurz shood standardaiz on a striktly phonetik sistem ov speling wurdz. Thas, thi standard "Shirley" jok wud bi exekyutid thus:
"Shirly yu kant bi sirius?"
"Ai em. And dont kal mi Shirly."
Ther, problem solvd.

--
Bow-ties are cool.
1. Re:Damnit, people, can you see the problem here? by Tetsujin · 2009-11-05 07:26 · Score: 1, Funny
  
  Inglish speekurz shood standardaiz on a striktly phonetik sistem ov speling wurdz
  Ok, is it spelled "kaw" (New England), Kower (south) Kore (midwest), Kwa (Nwoo Yawk)?
  Is it window, winder, or windah?
  And you spelled "uv" rong. See how this is such an incredibly BAD idea?
  I did not spell "uv" wrong. The five vowels:
  A E I O U
  Take the following sounds:
  Ah Eh EE Oh OO
  This is in accordance with the usage of the vowels in other European languages, such as Spanish or Italian. Thus, the word "of" would be spelled "ov". "uv" would rhyme with "move"
  Admittedly, some work would need to be done to refine the phonetic spelling system and to promote adoption and education of the new system. I figure in a generation or two we might be able to iron out these regional differences. Of course, some will resist these changes: if we can get the NSA involved to monitor SMS and internet usage and introduce FCC regulations requiring broadcasters and recording artists to always spell and pronounce things correctly, and institute a new bureau of ruthless and violent enforcement, it should be doable. The back-catalogue of music and literature will have to be either destroyed or republished, and owning old editions will have to be criminalized. It'd probably be a good idea to identify uncooperative parents and separate them from their children, so we can properly institutionalize them using the new system.
  Oh, and we'll have to invade England, I think - this nonsense about English English being the authoritative version has got to stop. If we play our political cards right and keep anybody else from getting involved it should be a fairly straightforward war without too much loss of life. We may have to use a few tactical nuclear weapons, but I think once we've established a willingness to use them (say, on a minor city) the Brits will know we mean business. One Britain is down I think it should be relatively easy to make Canada fall in line. Australians and New Zealanders might be a bit of a challenge since they're so well known for their weird accents - we could institute a temporary cultural embargo, that should prevent contamination until we're ready to deal with them.
  In the end it'll all be worth it, though, 'cause we'll be able to use the "Don't call me Shirley" joke in writing and it will work properly. Really, all manner of homonym-based jokes will finally be open to use in writing. It will usher in a new golden age of literature.
  
  --
  Bow-ties are cool.
Re:Huh. by Anonymous Coward · 2009-11-05 08:27 · Score: 1, Funny

araadarin san ha nihongo no hon o yomimasu ka? dou deshita ka?