OpenIDThursday, 5th November 2009
Facebook and MySpace security: backdoor wide open, millions of accounts exploitable (via) Amazingly, both services had wide open holes in their crossdomain.xml files. Facebook were serving allow-access-from-domain=“*” in the crossdomain.xml file on one of their subdomains (a subdomain that still had access to the user’s profile information) while MySpace were opting in farm.sproutbuilder.com, a service which allowed anyone to upload arbitrary SWF files. 
9:47 am
Google Dashboard. New Google product which shows exactly how much information Google have stored against your account, all on one page. This is a really useful tool, and hopefully will help set a powerful precedent for other sites to follow. 
2:03 pm
Cross-domain policy file usage recommendations for Flash Player. One of the best explanations of the security implications of crossdomain.xml files I’ve seen. If you host a crossdomain.xml file with allow-access-from domain=“*” and don’t understand all of the points described here, you probably have a nasty security vulnerability. 4:24 pm
If you are demanding registration before checkout, you need to cease this practice immediately. It is costing you a fortune.
— Bruce Tognazzini 
7:22 pm
