Slashdot Mirror


Facebook and MySpace Backdoors Found, Fixed

jamie writes with news of a Facebook app developer who found a significant security hole while he was trying to get around function limitations for his application. Quoting: "Luckily — just with browser AJAX requests — a flash application hosted on domain X is unable to open a file on domain Y. If this would be possible, domain X [would be] able to access content on domain Y, and when the user is logged in on domain Y retrieve and post back any personal data. In certain cases this could limit a Flash application's capabilities. ... To resolve such issues, Adobe (Flash's developers) introduced a 'crossdomain.xml' file which could allow certain domains to access another domain, leading to cross-domain access by certain or all domains. While indeed Facebook locked the front door from any non-Facebook domain access via Flash, a simple subdomain change allowed any flash application (domain="*") to access its domain data." He found a similar problem in MySpace's crossdomain.xml. Both sites were notified, and they have implemented fixes.

2 of 106 comments (clear)

  1. McCroskey by Captain+Splendid · · Score: 3, Funny

    Looks like I picked the wrong week to deactivate my FB account.

    --
    Linux, you magnificent bastard, I read the fucking manual!
  2. Re:Blunderware... by imakemusic · · Score: 3, Funny

    I feel it as a personal accomplishment I *dont* have social network accounts on Facebook, Myspace and alike.

    Well, you say that but we all know it's because you don't have any friends.

    --
    Brain surgery - it's not rocket science!