IDG News Service - Social networking sites MySpace and Facebook have apparently fixed coding errors that could have allowed an attacker access to all of their users' data and photos.

The simple coding errors are alarming considering the extent to which social networks have gone to reassure their users that their data will be safe. The problem involved the way the sites handle requests for data from other domains, known as the "cross-domain policy."

Sites such as MySpace and Facebook typically block other domains from requesting and receiving data for privacy reasons, except for their own vetted subdomains.

Facebook disallowed access from other applications on its main domain, but a developer in the Netherlands, Yvo Schaap, found that Facebook would allow data to be given out from one of its subdomains.

Since the subdomain also hosted all of Facebook's data, it would be possible to steal data by luring a victim to a URL with a Flash application rigged to grab the data if the victim had their auto-login enabled, which most people do, according to Schaap's blog.

A "more invasive and hidden exploit could harvest all the user's personal photos, data and messages to a central server without any trace, and there is no reason why this wouldn't be happening already with both Facebook and MySpace data," Schaap wrote on his blog.

He also found the problem on MySpace, which allowed a domain called "farm.sproutbuilder.com" to access data. A Flash application could be uploaded to that site, which would then be allowed access to the data if a victim visited a malicious URL.

MySpace disagreed with the severity of the error, saying it would have only exposed information that was already public. The problem was with the sproutbuilder domain, and it has since been fixed, a spokeswoman said in an e-mailed statement.

Related Podcast

Facebook, MySpace fix serious coding errors.

"No public MySpace data was exposed and the vulnerability was never exploited," the statement read.

A look at Facebook's latest crossdomain.xml file shows that the bug appears to have been fixed. MySpace also appears to have taken "farm.sproutbuilder.com" out of its cross-domain list.

In an e-mailed statement, Facebook said it "worked with the researcher who identified this issue to fix it. We have not received any reports that it was ever exploited."

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.

Comment Recommend Digg Twitter ShareThis

Email Print Send Feedback Reprints

Jump to comments

Facebook MySpace security

Additional Resources

WHITE PAPER

Do You Know the 7 Steps to Successful Data Migration?

Approximately 60 percent of data migration projects overrun time or budget, while some fail completely. Download this white paper, "Enhancing Your Chance for Successful Data Migration," to learn the critical steps you need to take to execute a data migration project with minimum cost and risk to your business.

WHITE PAPER

Total Cost of Ownership of Server Computing Vs. PCs

Read the Gartner research note to learn why the TCO of a server-based computing deployment used to deliver all applications to users is around 50% lower than that of an unmanaged desktop deployment.

WHITE PAPER

IDC White Paper: Linux in a Global Recession

Economic downturns have a tendency to accelerate emerging technologies, boost the adoption of effective solutions, and punish solutions that are not cost competitive or that are out of synch with industry trends. This IDC White Paper presents the results of an IDC survey of 330 companies in Western Europe, Asia/Pacific and the Americas that measures the receptiveness to Linux and takes into consideration changing views driven by the disruptive economic environment that businesses face today.

What People Are Saying

7 comments | Add new

See all comments (7) | Add new

White Papers & Webcasts

Top 10 Things to Know about Data Protection
Download Now

Extending Client Refresh - 11 Steps to Maximize Savings
Register Now!

The Power/Density Paradox: The Result of High Density without Power Efficiency
Download this brief to explore what the power/density paradox is and how IT professionals can mitigate the risk.

Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!

The State of PCI DSS Compliance at Organizations Today
Download this resource today!

Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!

Symantec Veritas NetBackup Design Best Practices with Data Domain
Learn in-depth about best practices for Archiving Integration, NBU Catalog Backups and NBU Disaster Recovery.

Consolidate Your Servers and Storage to Lower Costs with Oracle Database 11g
Register for this webcast!

VMware Data Backup and Recovery Best Practices
Learn best practices for architecting a backup/recovery/DR approach for VMware with Data Domain.

The Commercialization of ITIL: Lessons Learned
Register for this event today!

All White Papers | All Webcasts

Computerworld Reports

8 Questions To Ask About Your Intrusion-Security Solution

Computerworld Technology Briefings IT Service Management

Computerworld Briefing - Analytics: The Art and Science of Better

All Computerworld Reports

Business Continuity Zone
An organization's business continuity plan helps keep critical functions running during an emergency–the power fails, a virus is unleashed on your network, a natural disaster has occurred. Even the slightest downtime or loss of data can cripple your operation. CDW can help you prevent disaster by implementing a well-planned recovery strategy.
Click here to visit the Zone

See All Zones

	Storage
	Computerworld Daily News (First Look and Wrap-Up)
	Computerworld Blogs Newsletter
	The Weekly Top 10
	Cloud Computing

resource center

Newsletter Sign-Up

Developer finds major coding errors in Facebook, MySpace

Related Podcast

Facebook, MySpace fix serious coding errors.

Facebook MySpace security

Additional Resources

What People Are Saying

White Papers & Webcasts

Computerworld Reports

White Papers

Sponsored Links