Major Facebook, MySpace flaw may expose users' private data

Developer finds coding error that leaves data open to hackers

  • Email to a friend
  • Print this article
  • Bookmark this page
  • RSS feed

By Jeremy Kirk
Published: 16:08 GMT, 05 November 09

MySpace and Facebook have apparently fixed coding errors that could have allowed hackers to access to all of their users' data and photos.

The simple coding errors are alarming considering the extent to which social networks have gone to reassure their users that their data will be safe. The security flaw involved the way those sites handle requests for data from other domains, known as the "cross-domain policy."

Sites such as MySpace and Facebook typically block other domains from requesting and receiving data for privacy reasons, except for their own vetted subdomains.

Facebook disallowed access from other applications on its main domain, but a developer in the Netherlands, Yvo Schaap, found that Facebook would allow data to be given out from one of its subdomains.

Since the subdomain also hosted all of Facebook's data, it would be possible to steal data by luring a victim to a URL with a Flash application rigged to grab the data if the victim had their auto-login enabled, which most people do, according to Schaap's blog.

A "more invasive and hidden exploit could harvest all the user's personal photos, data and messages to a central server without any trace, and there is no reason why this wouldn't be happening already with both Facebook and MySpace data," Schaap wrote on his blog.

He also found the problem on MySpace, which allowed a domain called "farm.sproutbuilder.com" to access data. A Flash application could be uploaded to that site, which would then be allowed access to the data if a victim visited a malicious URL.

A look at Facebook's latest crossdomain.xml file shows that the bug appears to have been fixed. MySpace also appears to have taken "farm.sproutbuilder.com" out of its cross-domain list.

Facebook and MySpace could not be immediately reached for comment.

Facebook photos cost IBM employee health insurance | Facebook 'unfriending' enters the Oxford dictionary | Security expert stunned by personal information held by bank

Contact Us

For editorial queries:
Max Cooter max_cooter@techworld.com

For website issues:
Email webmaster@techworld.com

For commercial queries
Russell Kearney russell_kearney@idg.co.uk

For more contact details click here.

What are your views on this subject? Use the form below to post a comment on this article up to 500 characters.

Characters remaining: 500

Related Networking news

Riverbed releases new Steelhead WAN optimiser

Network accelerator to use solid state drives

09 February 2010

Europe lagging behind on fibre broadband adoption

Fibre penetration higher in North America and Asia

VoIP patent under review by Patent Office

Electronic Frontier Foundation says C2's wide-ranging patent is invalid

YouTube now supports IPv6

Video sharing site implements new network protocol

Related Networking reviews

LG NAS N4B1 review

Novatel Intelligent Mobile Hotspot MiFi 2352 review

Synology DiskStation DS509+ review

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Challenges and opportunities of PCI

The Payment Card Industry Data Security Standard provides an enterprise structure for improving operational, security, and audit performance. The benefits of the PCI DSS go beyond audit costs and results.

Download Whitepaper

Database security: Preventing enterprise data leaks at the source

IDC discusses the growing internal threats to business information, the impact of government regulations on the protection of data, and how enterprises must adopt database security best practices...

Download Whitepaper

Six essential steps to successful IT centralisation

This report, based on the real experience of a recent centralisation project, is aimed at those involved in IT strategy within their organisation. It provides some practical insights for CIOs, CTOs, Heads of IT, IT Directors and those involved more closely with the service management function.

Download Whitepaper

Application Grid: The ideal platform for IT consolidation

Evaluating the opportunity for consolidation of middleware — Java application servers and related technologies.

Download Whitepaper

Techworld UK - Technology - Business

COLT White Paper

Are all VoIP services the same?

Questions to ask your service provider to ensure you get the VoIP service you need
With careful choice of partner, your business can have all the advantages of VoIP access - reduced costs, flexibility and simplicity - without the drawbacks.
This white paper is your guide to ensure you get right the VoIP service and details the pitfalls which businesses would do well to avoid.

Download white paper
COLT White Paper

IT Misuse Survey

Complete this survey and you could win a Nexus One

Techworld are running a short survey to discover how UK businesses are managing Internet and email misuse in the Enterprise.

Complete Survey

Webcast: IT Financial Management: Cost Optimisation for Efficiency and Agility.
On Demand Webcast
Join this webcast to learn about the techniques and technologies that can help you prove the value of IT to the business by understanding the true cost of today's IT services and those that will be necessary to deliver future success.

Register Today

Site Map

IDG Network

* *