Skip to main content

Facebook, MySpace Contain Major Security Hole

Current Facebook and MySpace users should just accept the fact that social websites are prime targets for info mining, especially when their flawed code provides open windows to hackers. A web developer has recently found such an avenue nestled within XML configuration files used to define the cross-domain access policy for Flash applications.

According to 24-year-old Dutch Web developer Yvo Schaap, reported on his blog here (and originally spotted by Softpedia), the security hole could allow a hacker to hijack accounts and steal private information. Schaap, originally developing an application for Facebook, stumbled across the problem while trying to find a solution to a function limitation.

"Surprisingly, when [I] looked into more carefully, my solution allowed full access and control to the Facebook user account that accessed my application," he wrote. "Did I mention this would also be untraceable since exploit actions would happen from the users IP and own domain cookie?"

Essentially the security hole isn't a coding bug, but rather an insecure configuration issue in crossdomain.xml. The error allowed any Flash application, whether on Facebook or on another non-Facebook website, to access data on the connect.facebook.com sub-domain. "This wouldn't be a big deal if the subdomain only hosts images, but unfortunately, this domain hosts the whole Facebook property, including a Facebook user session," he said.

To learn more, check out Schaap's report--including a proof-of-concept--over on his blog.