Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook and MySpace Backdoors Found, Fixed

Posted by Soulskill on from the oh-adobe-you-card dept.

jamie writes with news of a Facebook app developer who found a significant security hole while he was trying to get around function limitations for his application. Quoting: "Luckily — just with browser AJAX requests — a flash application hosted on domain X is unable to open a file on domain Y. If this would be possible, domain X [would be] able to access content on domain Y, and when the user is logged in on domain Y retrieve and post back any personal data. In certain cases this could limit a Flash application's capabilities. ... To resolve such issues, Adobe (Flash's developers) introduced a 'crossdomain.xml' file which could allow certain domains to access another domain, leading to cross-domain access by certain or all domains. While indeed Facebook locked the front door from any non-Facebook domain access via Flash, a simple subdomain change allowed any flash application (domain="*") to access its domain data." He found a similar problem in MySpace's crossdomain.xml. Both sites were notified, and they have implemented fixes.

11 of 106 comments (clear)

  1. Huh. by Velorium · · Score: 5, Insightful

    I wonder how many people figured this out and didn't report it.

    1. Re:Huh. by girlintraining · · Score: 4, Informative

      I wonder how many people figured this out and didn't report it.

      They didn't need to figure it out... Facebook lets people suck all that data out by making a game about vampires, pirates, farming, or god only knows whatever else is out there. Why go through the back door when the front door is already open and a welcome mat thrown out?

      --
      #fuckbeta #iamslashdot #dicemustdie
  2. McCroskey by Captain+Splendid · · Score: 3, Funny

    Looks like I picked the wrong week to deactivate my FB account.

    --
    Linux, you magnificent bastard, I read the fucking manual!
    1. Re:McCroskey by natehoy · · Score: 2, Funny

      Surely you can't be serious?

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    2. Re:McCroskey by darthflo · · Score: 4, Interesting

      Curiously few people seem to have gotten that. I've got an account named "John Doe" to try 'em out and another one which I add people I know to. Funnily, John Doe has several hundred friends already, despite not actually existing.

    3. Re:McCroskey by natehoy · · Score: 4, Insightful

      If I understand it, I have significant access to my friends' data on Facebook. When *I* sign up for an account, the app not only has access to my data, but any and all data I have access to. So you might not have given access to your data, but a friend might.

      Plus, doesn't Facebook use Flash on a few of their ads? With the old crossdomain setting, Facebook's advertisers could also have gained access to your data.

      Don't post anything on Facebook you aren't comfortable telling your friends, your boss, your wife, or any random stranger.

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
    4. Re:McCroskey by natehoy · · Score: 2, Informative

      So if someone in your "Family" group wants to find out what kind of left-handed vampire they are, then the app they are running has the same access to your profile that they do.

      That's the problem. You might trust the person, but they are running apps that might not be as trustworthy, and those apps adopt their Facebook authority to run.

      At least that's how I understand it.

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
  3. Re:Blunderware... by maxume · · Score: 2, Insightful

    Well, it is an achievement, much in the same way that not eating a bucket of KFC everyday is an achievement

    --
    Nerd rage is the funniest rage.
  4. Re:Blunderware... by imakemusic · · Score: 3, Funny

    I feel it as a personal accomplishment I *dont* have social network accounts on Facebook, Myspace and alike.

    Well, you say that but we all know it's because you don't have any friends.

    --
    Brain surgery - it's not rocket science!
  5. Facebook is a buggy mess by WankersRevenge · · Score: 4, Insightful

    It amazes me that facebook rose to prominence in the way it did. Out of all the sites I have ever used, Facebook is the worst when it comes to bugs. It simply floors me at how much bad code is pushed out to production servers or how many things break on a daily basis. I'm not talking simple copy bugs, but full on showstopping bugs. At one point, I was filing bug reports to them on a daily basis. If there is any qa department, it is incredibly lax. I'm guessing it's just a couple of interns sniffing for a gig. The only reason I'm using facebook is to grow my zombie blog, and once I reach a point where my traffic isn't dependent on that site, I'm dropping them like a friggin rock. And it will be a glorious day indeed.

  6. Damnit, people, can you see the problem here? by Tetsujin · · Score: 2, Funny

    Surely you can't be serious?

    I am. And don't call me Shirley.

    People, do you not see the basic problem with using this joke in written format? Without a doubt this is a serious flaw in the English language: we are unable to use the "Don't call me Shirley" joke in written form because, while the words "Shirley" and "surely" are homonyms, the spelling is clearly different...

    Ai propoz a simpl fix for this problem: Inglish speekurz shood standardaiz on a striktly phonetik sistem ov speling wurdz. Thas, thi standard "Shirley" jok wud bi exekyutid thus:
    "Shirly yu kant bi sirius?"
    "Ai em. And dont kal mi Shirly."

    Ther, problem solvd.

    --
    Bow-ties are cool.