funsec mailing list archives
Facebook and MySpace security: backdoor wide open, millions of accounts exploitable
From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Thu, 5 Nov 2009 16:57:50 +0200 (EET)
"As a application developer on Facebook, I usually run into certain walls that limit my application functionality. But I don't give up easily, and only recently I found a solution to one of my function limitations. Suprisingly, when looked into more carefully my solution allowed full access and control to the Facebook user account that accessed my application. Did I mention this would also be untraceable since exploit actions would happen from the users IP and own domain cookie? Lets walk through it along some clearifying images. Flash applications run on a users' computer. A Flash application is able to load data into its environment. This is done by a request of the application, where the user loads a certain URL. Luckily - just with browser AJAX requests- a flash application hosted on domain X is unable to open a file on domain Y. If this would be possible, domain X is able to access content on domain Y, and when the user is logged in on domain Y retrieve and post back any personal data. In certain cases this could limit a flash application capabilities. A relevant example: an application wants to display public Facebook user thumbnails. The application is on domain X, the thumbnails on domain facebook.com. To resolve such issues, Adobe (Flash's developers) introduced a "crossdomain.xml" file which could allow certain domains accessing another domain, leading to cross domain access by certain or all domains." --clip-- http://www.yvoschaap.com/index.php/weblog/facebook_myspace_accounts_hijacked/ Juha-Matti _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Facebook and MySpace security: backdoor wide open, millions of accounts exploitable Juha-Matti Laurio (Nov 05)