Facebook and MySpace security: backdoor wide open, millions of accounts exploitable

[Juha-Matti Laurio <juha-matti.laurio () netti fi>]

"As a application developer on Facebook, I usually run into certain walls that limit my application functionality.
But I don't give up easily, and only recently I found a solution to one of my function limitations.
Suprisingly, when looked into more carefully my solution allowed full access and control to the Facebook user account 
that accessed my application.
Did I mention this would also be untraceable since exploit actions would happen from the users IP and own domain cookie?

Lets walk through it along some clearifying images. Flash applications run on a users' computer. A Flash application is 
able to load data into its environment.
This is done by a request of the application, where the user loads a certain URL. Luckily - just with browser AJAX 
requests-
a flash application hosted on domain X is unable to open a file on domain Y. If this would be possible, domain X is 
able to access content on domain Y,
and when the user is logged in on domain Y retrieve and post back any personal data.

In certain cases this could limit a flash application capabilities. A relevant example: an application wants to display 
public Facebook user thumbnails.
The application is on domain X, the thumbnails on domain facebook.com.
To resolve such issues, Adobe (Flash's developers) introduced a "crossdomain.xml"
file which could allow certain domains accessing another domain, leading to cross domain access by certain or all 
domains."
--clip--

http://www.yvoschaap.com/index.php/weblog/facebook_myspace_accounts_hijacked/

Juha-Matti
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.