Skip to main content

Facebook, MySpace Contain Major Security Hole

Current Facebook and MySpace users should just accept the fact that social websites are prime targets for info mining, especially when their flawed code provides open windows to hackers. A web developer has recently found such an avenue nestled within XML configuration files used to define the cross-domain access policy for Flash applications.

According to 24-year-old Dutch Web developer Yvo Schaap, reported on his blog here (and originally spotted by Softpedia), the security hole could allow a hacker to hijack accounts and steal private information. Schaap, originally developing an application for Facebook, stumbled across the problem while trying to find a solution to a function limitation.

"Surprisingly, when [I] looked into more carefully, my solution allowed full access and control to the Facebook user account that accessed my application," he wrote. "Did I mention this would also be untraceable since exploit actions would happen from the users IP and own domain cookie?"

Essentially the security hole isn't a coding bug, but rather an insecure configuration issue in crossdomain.xml. The error allowed any Flash application, whether on Facebook or on another non-Facebook website, to access data on the connect.facebook.com sub-domain. "This wouldn't be a big deal if the subdomain only hosts images, but unfortunately, this domain hosts the whole Facebook property, including a Facebook user session," he said.

To learn more, check out Schaap's report--including a proof-of-concept--over on his blog.

  • cruiseoveride
    Facebook needs to become a client application
    Reply
  • ssalim
    Great, now more people know about this.
    Reply
  • hellwig
    ssalimGreat, now more people know about this.Sorry, you'll have to find another way to exploit facebook accounts when/if they fix this.

    My fiancee and family wonder why I don't have facebook or twitter. Gee, maybe this is just one of many reasons why. The other major reason being these fads are pointless and stupid (I've seen enough fads in my 15years of internet usage).

    I still say we license internet users. Make sure they're mature and competent enough to protect themselves online. We don't need teens committing suicide because some "boy" on facebook said nasty things about them, and we don't need Grandma giving away her life savings to some nice gentleman from Nigeria.
    Reply
  • ravewulf
    What DOESN'T have critical security flaws?
    Reply
  • sqhacker
    maybe i should make a dummy account with no info and a vm to run my social networks from now on...at least that way it links back to nothing i care about
    Reply
  • asjflask
    License internet users? Are you really willing to give up more of your freedoms in exchange for more security? Ben Franklin said it best when he said that those who give up freedoms for security deserve neither.
    Reply
  • pale paladin
    I'm a fan of equality but some people shouldn't :breed, use computers, drive a car, play with sharp objects or firearms. Equality and freedom should be delegated by competency and capability not idealistic inherent privilege. of course extenuating circumstance like disability does not apply to my line of thinking.
    Reply
  • dextermat
    Whaaaaaat thats impossible....(being ironic here)
    Reply
  • 1pp1k10k4m1
    I'm glad he's a good guy. I don't really use facebook, but this is potential disaster.
    Reply
  • Manos
    homrqtIt's good he was one of those guys that likes to report these flaws and gets them fixed instead of exploiting it.
    Saying it on your blo you just brag about your findings and not reporting it if you ask me. Unless ofc it says somewhere in the article that he has reported it and I missed it, then hedid nothing but find something and not even mention to get fixxed.
    Reply