Yvo Schaap, a young Dutch application developer on Facebook, stumbled on a back door into any user account that accesses the application he’s working on. He discovered the exploitable mistake while trying to get around a function limitation on his application, and realized he could modify the accounts and that his illegitimate interventions into the account couldn’t even be traced.
He immediately proceeded to notify Facebook and MySpace – the two social networks shared the same problem – and they fixed it.
But how did this came to be? The developer explains in his blog post that Flash applications run on a users’ computer and are able to request data from another domain and load it into its environment. Usually, a Flash application hosted on one domain can’t open a file on another. But as this sometimes limits the capabilities of the flash application, “Adobe introduced a “crossdomain.xml” file which could allow certain domains accessing another domain, leading to cross domain access by certain or all domains.”
Facebook did block access through Flash from any non-facebook domain, but by simply changing the subdomain you can circumvent the barrier and access domain data:
“This wouldn’t be a big deal if the subdomain only hosts images, but unfortunately this domain hosts the whole Facebook property, including a facebook user session. If you have auto-login enabled on Facebook, you might recognize your fullname and the keys to do actions from the accounts credentials.” writes Schaap.
Skipping to MySpace, there is again the same mistake:
farm.sproutbuilder.com, the domain in question, hosted an application builder that can (among other things) upload Flash applications.
“All what has to happen is an active session, or a “auto login”-cookie and a URL which hosts a exploiting Flash file. For example when accessed, a automatic “post update” could be made, that would lure friends of the user to access the exploit URL, and the exploit would spread virally. An more invasive and hidden exploit could harvest all the users personal photo’s, data and messages to a central server without any trace, and there is no reason why this wouldn’t be happening already with both Facebook and MySpace data.” says Schaap.