Facebook and MySpace have fixed major vulnerabilities that would have allowed attackers full access to accounts that enabled automatic-login.
A blog by Yvo Schaap, an application developer on Facebook, claimed that a security backdoor was left ‘wide open' with millions of accounts exploitable. Schaap claimed that he usually runs into walls that limit the functionality of his applications, but he found a solution that allowed full access and control to the Facebook user account that accessed his application.
He also said that his actions would also be untraceable due as exploit actions would happen from the users IP and own domain cookie. Schaap said: “Flash applications run on a users' computer. A flash application is able to load data into its environment. This is done by a request of the application, where the user loads a certain URL.
“Luckily - just with browser AJAX requests - a flash application hosted on domain X is unable to open a file on domain Y. If this would be possible, domain X is able to access content on domain Y, and when the user is logged in on domain Y retrieve and post back any personal data.
“In certain cases this could limit flash application capabilities. A relevant example: an application wants to display public Facebook user thumbnails. The application is on domain X, the thumbnails on domain facebook.com. To resolve such issues, Adobe introduced a ‘crossdomain.xml' file which could allow certain domains accessing another domain, leading to cross domain access by certain or all domains.”
He said that while Facebook had locked the front door from any non-Facebook domain access via Flash, a simple subdomain change allowed any flash application to access its domain data.
Schaap said: “This wouldn't be a big deal if the subdomain only hosts images, but unfortunately this domain hosts the whole Facebook property, including a Facebook user session.”
He also commented on MySpace, claiming that a quick look at the MySpace crossdomain.xml file shows again a locked door, except for one element: the domain farm.sproutbuilder.com was enabled to access myspace.com data.
Schaap said: “A look at ‘sproutbuilder' showed an application builder (which indeed has a module able to load MySpace data: news updates) but more disturbing an upload function allowed anybody uploading ‘.swf' files, the file extension of Flash applications. The location of the uploaded file? Farm.sproutbuilder.com [exploit closed], exactly the domain that is allowed access to MySpace data.”
Concluding, Schaap said that all that is needed is an active session, or an ‘auto login' cookie and a URL which hosts an exploiting Flash file. When accessed, an automatic ‘post update' could be made that would lure friends of the user to access the exploit URL, and the exploit would spread virally.
“A more invasive and hidden exploit could harvest all the users personal photos, data and messages to a central server without any trace, and there is no reason why this wouldn't be happening already with both Facebook and MySpace data,” said Schaap.