Feeds

Facebook, MySpace backdoor exposed user accounts

Bit drafty in here

Internet Security Threat Report 2014

Facebook and MySpace have closed gaping security holes in their sites that gave attackers full access to accounts that had automatic-login features enabled.

The vulnerabilities, documented here by a Facebook application developer, were significant. Because the unauthorized access would be mapped to the victim's IP address and website cookie, the intrusions would be virtually untraceable. Attackers were then free to download photos and messages designated as private with no indication at all to the victim.

Facebook and MySpace closed the backdoors shortly after being notified, a marked improvement from the past, when the sites sometimes allowed serious security holes to persist for months. Still, it probably shouldn't have taken an outsider to discover the bug. This is the latest episode to demonstrate that the only sure way to ensure that data is private is to keep it off social networking sites altogether.

The backdoors were the result of a misconfiguration of a crossdomain.xml, a file websites use to share content using Adobe Flash across domains. Some of the domains that were accessible exposed authentication tokens for accounts that had the auto-login feature turned on.

Facebook developers had blocked access from the main domain, but didn't bother to notice the sensitive data was accessible when Facebook subdomains were used. MySpace similarly locked its front door but left a window at farm.sproutbuilder.com, which had full access to the data.

The holes could be exploited by luring victims to sites that had a Flash application installed designed to grab the authentication information, the developer said. ®

Intelligent flash storage arrays

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The hidden costs of self-signed SSL certificates
Exploring the true TCO for self-signed SSL certificates, including a side-by-side comparison of a self-signed architecture versus working with a third-party SSL vendor.