Select Page

A web developer from Amsterdam, who goes by the name Yvo, discovered a way a user could get access to other domains when logged into Facebook or Myspace. After he notified the two sites, the holes were patched.

Here’s Yvo’s description:

“…Adobe (Flash’s developers) introduced a ‘crossdomain.xml’ file which could allow certain domains to access another domain, leading to cross-domain access by certain or all domains. While indeed Facebook locked the front door from any non-Facebook domain access via Flash, a simple subdomain change allowed any flash application (domain=”*”) to access its domain data.”

His blog post here.

Yvo, we’re glad you found it before anyone else did.

Tom Kelchner