Thu, 05 Nov 2009 Developer finds major coding errors in Facebook, MySpace
Simple problems may have exposed users' data for an unknown length of time
Social-networking sites MySpace and Facebook have apparently fixed coding errors that could have allowed an attacker access to all of their users' data and photos.
The simple coding errors are alarming considering the extent to which social networks have gone to reassure their users that their data will be safe. The problem involved the way those sites handle requests for data from other domains, known as the "cross-domain policy."
Sites such as MySpace and Facebook typically block other domains from requesting and receiving data for privacy reasons, except for their own vetted subdomains.
Facebook disallowed access from other applications on its main domain, but a developer in the Netherlands, Yvo Schaap, found that Facebook would allow data to be given out from one of its subdomains.
Yvo Schaap discovered the Facebook issues.
Since the subdomain also hosted all of Facebook's data, it would be possible to steal data by luring a victim to a URL with a Flash application rigged to grab the data if the victim had their auto-login enabled, which most people do, according to Schaap's blog.
A "more invasive and hidden exploit could harvest all the user's personal photos, data and messages to a central server without any trace, and there is no reason why this wouldn't be happening already with both Facebook and MySpace data," Schaap wrote on his blog.
He also found the problem on MySpace, which allowed a domain called "farm.sproutbuilder.com" to access data. A Flash application could be uploaded to that site, which would then be allowed access to the data if a victim visited a malicious URL.
A look at Facebook's latest crossdomain.xml file shows that the bug appears to have been fixed. MySpace also appears to have taken "farm.sproutbuilder.com" out of its cross-domain list.
Facebook and MySpace could not be immediately reached for comment.
Check out our new Macworld Mobile site.
Follow Macworld UK on twitter: www.twitter.com/macworlduk
Contact Us
DiggEmail A Friend
Email this article to a friend or colleague:
PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.
Permalink This Article
This articles permalink is:
http://www.macworld.co.uk/digitallifestyle/news/index.cfm?RSS&NewsID=27652
Latest News
- To fight scammers, Russia cracks down on .ru domain
- Apple sets March 27 deadline for first iPad apps
- Microsoft pulls Bing app from UK and other non-US App Stores
- Apple to release 27in LED Cinema Display and Dodeca-Core Mac Pro
- Apps are a Goldmine for Developers
- iPad Expected to Beat iPhone's First 3-Month Sales
- Apple's iGroups patent to bring social networking to the iPhone?
- Apple Mac OS X 10.6.3 Snow Leopard update approaching
- iPad pre-orders at 10,000 a day
- Macworld April issue - on sale now
- Facebook won't overtake Google in UK
- Apple UK asks agencies to bid for £10m search work
Macworld Mobile
MACWORLD
FOR MOBILE
Related News
- Illegal downloads could cost Europe £215 billion by 2015
- The case for the 3G-capable iPad
- O2 says net piracy letters 'bully' web users
- Web users at risk of social networking addiction
- Facebook users targeted in massive spam run
- Google, Facebook poor at protecting privacy, says FTC commissioner
- ABC rule change opens door to iPad mags
- Amazon brings Kindle app to the Mac
- Facebook overtakes Google for first time
- How to Know if Your iPhone Battery is on Death Row
Mac Broadband?
Search news
Search Google
Newsletter signup
It's easy and free to get the latest news headlines, reviews and opinions straight to your email inbox. Sign up NOW to make sure you receive the latest Mac news, reviews and tutorials on your favourite topics.
Macworld reader poll
Are you planning to get any of the accessories with the iPad?:
Have your say in the
Macworld forums!
Register now
Stay on top of the latest, breaking Mac news and chat with other Mac professionals and enthusiasts about the issues that matter to you. Register with Macworld today to join our forums and receive our twice-weekly email newsletter, Macworld Mainline.
RSS
Have the latest content delivered to your desktop via RSS. Use the links below to get access to a specific blog, news, or reviews feed.
MACWORLD MARKETPLACE
 |
Computer & Laptop |
 |
Macworld 2010 Best of Show - Quickoffice is Your Mobile Office. Connected. |
 |
Same Day Mac Repairs |
 |
Things – task management has never been this easy |
 |
Trading4u |
 |
Beat the Credit Crunch - Lease your Mac from Hardsoft |
 |
Latest Version of Final Cut Studio and Final Cut Server now available - Special Offer !! |
 |
Circus Ponies NoteBook - the easy way to get organized on the Mac |
Click here for the latest reader comments