Yvo Schaap web programmer discovered that the sites Facebook and MySpace too freely assign permissions to applications in Flash. According to Schaap in this way, these programs can suddenly have access to comprehensive data from other Facebook users.

Concern

Flash applications can usually only use server resources, which have been loaded. So developers can freely shape bit programs, Adobe introduced a company able to provide direct access from other servers than the one from which the object is loaded. Such action shall be permitted through the crossdomain.xml file located in the root directory of the web server. There, Facebook on the main domain through instructions such as:

<cross-domain-policy>

...

<allow-access-from domain="external.ak.fbcdn.net" />

...

</ cross-domain-policy>

grant these rights to other parties trustworthy. However, the subdomain www.connect.facebook.com Schaap was the declaration in that collection:

<allow-access-from domain="*" />

With the possibility of calling the object is granted to the whole Internet. If a user is logged on to Facebook or on your computer using the popular auto-login, then each flash applet on a malicious website may by connect.facebook.com access all his data on Facebook or send messages on its behalf. Using the messages contained in their links to friends of potential victims could also run the worm on Facebook.

In the case of MySpace the problem is somewhat less clear. Where flash applications, operators have the choice seems limited to a set of pages, including farm.sproutbuilder.com. However, at this site users can load Flash files - in theory, there are some who will steal the data from the accounts on MySpace.

Solution

Schaap says, the two companies have already removed the security issues that shortly after informing them of this fact. However, these gaps show once again that in terms of security of many social networking sites still have much to do.