Simon Willison’s Weblog

Subscribe

Thursday, 5th November 2009

Facebook and MySpace security: backdoor wide open, millions of accounts exploitable (via) Amazingly, both services had wide open holes in their crossdomain.xml files. Facebook were serving allow-access-from-domain=“*” in the crossdomain.xml file on one of their subdomains (a subdomain that still had access to the user’s profile information) while MySpace were opting in farm.sproutbuilder.com, a service which allowed anyone to upload arbitrary SWF files.

# 9:47 am / crossdomainxml, flash, security, facebook, myspace, swf

Google Dashboard. New Google product which shows exactly how much information Google have stored against your account, all on one page. This is a really useful tool, and hopefully will help set a powerful precedent for other sites to follow.

# 2:03 pm / google, dashboard, privacy

Cross-domain policy file usage recommendations for Flash Player. One of the best explanations of the security implications of crossdomain.xml files I’ve seen. If you host a crossdomain.xml file with allow-access-from domain=“*” and don’t understand all of the points described here, you probably have a nasty security vulnerability.

# 4:24 pm / crossdomainxml, flash, security, adobe

If you are demanding registration before checkout, you need to cease this practice immediately. It is costing you a fortune.

Bruce Tognazzini

# 7:22 pm / registration, login, signup, information-architecture, bruce-tognazzini

2009 » November

MTWTFSS
      1
2345678
9101112131415
16171819202122
23242526272829
30