Simon Willison’s Weblog

Subscribe

Thursday, 5th November 2009

If you are demanding registration before checkout, you need to cease this practice immediately. It is costing you a fortune.

Bruce Tognazzini # 7:22 pm

Cross-domain policy file usage recommendations for Flash Player. One of the best explanations of the security implications of crossdomain.xml files I’ve seen. If you host a crossdomain.xml file with allow-access-from domain=“*” and don’t understand all of the points described here, you probably have a nasty security vulnerability. # 4:24 pm

Google Dashboard. New Google product which shows exactly how much information Google have stored against your account, all on one page. This is a really useful tool, and hopefully will help set a powerful precedent for other sites to follow. # 2:03 pm

Facebook and MySpace security: backdoor wide open, millions of accounts exploitable (via) Amazingly, both services had wide open holes in their crossdomain.xml files. Facebook were serving allow-access-from-domain=“*” in the crossdomain.xml file on one of their subdomains (a subdomain that still had access to the user’s profile information) while MySpace were opting in farm.sproutbuilder.com, a service which allowed anyone to upload arbitrary SWF files. # 9:47 am

2009 » November

MTWTFSS
      1
2345678
9101112131415
16171819202122
23242526272829
30