Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook and MySpace Backdoors Found, Fixed

Posted by Soulskill on from the oh-adobe-you-card dept.

jamie writes with news of a Facebook app developer who found a significant security hole while he was trying to get around function limitations for his application. Quoting: "Luckily — just with browser AJAX requests — a flash application hosted on domain X is unable to open a file on domain Y. If this would be possible, domain X [would be] able to access content on domain Y, and when the user is logged in on domain Y retrieve and post back any personal data. In certain cases this could limit a Flash application's capabilities. ... To resolve such issues, Adobe (Flash's developers) introduced a 'crossdomain.xml' file which could allow certain domains to access another domain, leading to cross-domain access by certain or all domains. While indeed Facebook locked the front door from any non-Facebook domain access via Flash, a simple subdomain change allowed any flash application (domain="*") to access its domain data." He found a similar problem in MySpace's crossdomain.xml. Both sites were notified, and they have implemented fixes.

7 of 106 comments (clear)

  1. Huh. by Velorium · · Score: 5, Insightful

    I wonder how many people figured this out and didn't report it.

    1. Re:Huh. by girlintraining · · Score: 4, Informative

      I wonder how many people figured this out and didn't report it.

      They didn't need to figure it out... Facebook lets people suck all that data out by making a game about vampires, pirates, farming, or god only knows whatever else is out there. Why go through the back door when the front door is already open and a welcome mat thrown out?

      --
      #fuckbeta #iamslashdot #dicemustdie
  2. McCroskey by Captain+Splendid · · Score: 3, Funny

    Looks like I picked the wrong week to deactivate my FB account.

    --
    Linux, you magnificent bastard, I read the fucking manual!
    1. Re:McCroskey by darthflo · · Score: 4, Interesting

      Curiously few people seem to have gotten that. I've got an account named "John Doe" to try 'em out and another one which I add people I know to. Funnily, John Doe has several hundred friends already, despite not actually existing.

    2. Re:McCroskey by natehoy · · Score: 4, Insightful

      If I understand it, I have significant access to my friends' data on Facebook. When *I* sign up for an account, the app not only has access to my data, but any and all data I have access to. So you might not have given access to your data, but a friend might.

      Plus, doesn't Facebook use Flash on a few of their ads? With the old crossdomain setting, Facebook's advertisers could also have gained access to your data.

      Don't post anything on Facebook you aren't comfortable telling your friends, your boss, your wife, or any random stranger.

      --
      "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
  3. Re:Blunderware... by imakemusic · · Score: 3, Funny

    I feel it as a personal accomplishment I *dont* have social network accounts on Facebook, Myspace and alike.

    Well, you say that but we all know it's because you don't have any friends.

    --
    Brain surgery - it's not rocket science!
  4. Facebook is a buggy mess by WankersRevenge · · Score: 4, Insightful

    It amazes me that facebook rose to prominence in the way it did. Out of all the sites I have ever used, Facebook is the worst when it comes to bugs. It simply floors me at how much bad code is pushed out to production servers or how many things break on a daily basis. I'm not talking simple copy bugs, but full on showstopping bugs. At one point, I was filing bug reports to them on a daily basis. If there is any qa department, it is incredibly lax. I'm guessing it's just a couple of interns sniffing for a gig. The only reason I'm using facebook is to grow my zombie blog, and once I reach a point where my traffic isn't dependent on that site, I'm dropping them like a friggin rock. And it will be a glorious day indeed.