A web developer from Amsterdam, who goes by the name Yvo, discovered a way a user could get access to other domains when logged into Facebook or Myspace. After he notified the two sites, the holes were patched.
Here’s Yvo’s description:
“…Adobe (Flash’s developers) introduced a ‘crossdomain.xml’ file which could allow certain domains to access another domain, leading to cross-domain access by certain or all domains. While indeed Facebook locked the front door from any non-Facebook domain access via Flash, a simple subdomain change allowed any flash application (domain=”*”) to access its domain data.”
His blog post here.
Yvo, we’re glad you found it before anyone else did.
Tom Kelchner