Facebook and MySpace security: backdoor wide open, millions of accounts exploitable (via) Amazingly, both services had wide open holes in their crossdomain.xml files. Facebook were serving allow-access-from-domain=“*” in the crossdomain.xml file on one of their subdomains (a subdomain that still had access to the user’s profile information) while MySpace were opting in farm.sproutbuilder.com, a service which allowed anyone to upload arbitrary SWF files.
Sign in with 
OpenID
Ah, Flash, everybody's favourite annoying buggy inaccessible CPU-hogging security hole.
dmc - 5th November 2009 15:30 - #
The wiki page that TechCrunch links to describes an unrelated Flash vulnerability regarding how it handles crossdomain.xml files.
This vulnerability is related to developers using crossdomain.xml files, specifically when creating open policies.
I'm a bit bored by 3-year-old topics, but maybe I'll blog about it again to clear up any confusion.
Chris Shiflett - 5th November 2009 17:52 - #