You know those two sites where you have a profile with all of your personal information on it? Well, they both have an error, by which those with knowledge could find a back door into your account. The error was discovered by a Dutch web developer by the name, Yvo Schaap. He believes that with this security lapse, people’s information could be at stake.
The error involves XML configuration files which are utilized for accessing Flash apps. Schaap explains in detail on his blog the steps he took to discover this error. Coincidentally, Schaap discovered this XML error while developing an app of his own.
Schaap was struggling to figure out a solution to the limits put on by Facebook, so he could run his app. This is when he discovered the solution he was looking for, with a side effect that allowed him full access to the user account of the person accessing his app. While account login info is needed, the problem occurs when users have an auto-login function activated. Which is a large amount of people.
Schaap explains the specifics of the XML hole that allows him access, “In certain cases this could limit a flash application capabilities. A relevant example: an application wants to display public Facebook user thumbnails. The application is on domain X, the thumbnails on domain facebook.com. To resolve such issues, Adobe (Flash’s developers) introduced a “crossdomain.xml” file which could allow certain domains accessing another domain, leading to cross domain access by certain or all domains.”
Facebook took care of any front door access, but by changing the subdomain, a Flash app can access the domain’s data. We’re not just talking photos or certain aspects of the domain, but the entire Facebook user session.
So, is Facebook the only site with a security lapse in the crossdomain.xml file? Unfortunately, no. MySpace has just as much of a problem having to use this method to access Flash on it’s site. Again, Schaap explains, “But how does MySpace fit in this story? You would be surprised if I found a similar back door on not one, but two of the top 10 websites online, right? Well a quick look at the MySpace crossdomain.xml file shows again a locked door, except for one element: the domain farm.sproutbuilder.com was enabled to access myspace.com data.”
The farm.sproutbuilder.com domain allows the same amount of access as the error in Facebook. If a MySpace page is hosting an exploited Flash file and has a auto-login activated, then it’s relatively easy for prying minds to invade a user’s account.
To think, all of this because of a small error in a crossdomain.xml file.
