Facebook and Myspace bolt Flash backdoors

Web developer Yvo Schaap has discovered that Facebook and Myspace have been being overgenerous in assigning privileges for Flash applications, allowing Schaap's Flash application to access another user's entire Facebook data.

Flash applications are only normally able to access resources on the server from which they have been loaded. In order to allow developers to design applications with more flexibility, Abode has, however, introduced the option of explicitly granting access to other servers. This is achieved by means of the crossdomain.xml file in a web server's root folder. Facebook had used this to grant the right to access the main domain to trusted sites via instructions such as:

<cross-domain-policy>

....

<allow-access-from domain="external.ak.fbcdn.net" />

....

</cross-domain-policy>

Schaap also, however, found the following statement on the www.connect.facebook.com subdomain:

<allow-access-from domain="*" />

which permits access from anywhere on the web. If a user is logged into Facebook or has activated the auto-login function on his or her PC, Flash applets on a malicious website would then be able to use this to access all his or her Facebook data or post messages in his or her name via connect.facebook.com. It would also have been possible to build a Facebook worm using messages with links to the victim's friends.

On MySpace, the case was a little more obscure, with the site operators having consciously restricted access to a specific range of sites. These included, however, farm.sproutbuilder.com, a site to which users are able to upload their own Flash files which could have included Flash files for plundering MySpace accounts.

Schaap reports that both companies fixed the issue rapidly on being informed of the problem. The vulnerabilities do, however, once more illustrate that many social networking sites still have some work to do when it comes to security.

See also:

• Shutting Twitter backdoors, a report from The H.

(crve)