computerworld.com — Social networking sites MySpace and Facebook have apparently fixed coding errors that could have allowed an attacker access to all of their users' data and photos. The simple coding errors are alarming considering the extent to which social networks have gone to reassure their users that their data will be safe. The problem involved....
Nov 5, 2009 View in Crawl 4
jalbinsonNov 6, 2009
The security flaw seems to stem from the user being unable to resist clicking unknown URLs.
memperNov 6, 2009
Putting in a wild card domain for access in a property xml file is not a code error. It's an oversight. I would guess the developer had no way to know what end domains were going to need access and setup an open policy during development. The final setup of this file was likely lost on the crew that ultimately deployed it. Cross domain issues are going to become more prevalent with HTML 5, and there is little to no agreement among browsers on how to handle cross domain policies as the cloud becomes a standard mechanism of data storage. The only reason Flash is involved here is because Macromedia (now part of Adobe) began the process of domain validation by suggesting a standard and deploying a crossdomain policy format. The first into the fire feels the heat. There needs to be greater consensus among browser makers and plugin makers about how to handle cross domain access and at what point a server advertises itself during deployment that security issues might exist with the chosen deployed policy files. There is no reason a server couldn't have self tested and found this hole and alerted admins during it's init process.The safety of data in the cloud depends on server integrity. Blaming the front end coder for a server property only compounds and highlights the issue.Welcome to the cloud.
jtmonNov 6, 2009
Zynga also just updated to block Mafia Wars Autoplayer but also to close holes in common coding mistakes like forgetting to sanitize <, >, etc...instead of fixing it the correct way, they now started a policy where you cannot have those characters in your name. This wouldn't be so bad except they want you to PAY REAL MONEY to change your name!!
rally25rsNov 6, 2009
Well, more specifically they use a lot of duplicated ID tags. And things like not closing elements (<td> cell1 <td> cell2) vs (<td> cell1 </td> ...)Again, its been a while since i've looked... maybe they improved. I got sick of looking at other people's 'pimped' pages and decided no longer frequenting MySpace was better than gouging out my eyes.
saperekierNov 7, 2009
It's true. There's also an easy workaround for viewing friends private pics as well. Though I won't share the details because they might fix it. ;-)
judgemonkeyNov 7, 2009
Seriously though. He said to keep sensitive information to yourself because you never know what vulnerabilities will crop up (yes, even digg might have them). Sensible suggestion.No where in his post did he declare himself Mr. Magic who could find and... (hehe hehe) penetrate any back door.
johnnysoftwareNov 11, 2009
Three hours ago Leo Laporte tweeted that he cannot log into Facebook and it also would not allow him to reset his password.