Its about time! I hate myspace anyway, I cant stand the clutter and the page designs that people use.

Unbelievable. This will be a huge blow to MySpace in the long-run. They had better find another workaround.

Flash Player 9 is not in beta. The non-beta version was released on June 28th.

(more info on the new allownetworking attribute)

Is MySpace making these changes totally in the dark? Do they post technical updates anywhere?

I guess they have to do something to stop mitigate the security issues. MySpace has attracted some amazing Flash-based widgets. They may open a competitive gap if they try to close out all the widget-makers.

At the very worst — they can always restrict allowed external sites to a white-list that you have to signup for.

any company that relies heavily on the ability to do something on another company’s product has a flawed business model.

I think there are a few companies with fine business models that rely on Microsoft’s products, Oboy.

I just tried my RockYou widget and my Youtube embed. You can still watch the slideshow and videos, you just can click out to another site. If this will protect redirects, then it’s all good.

allowNetworking=”internal” was pushed out the door for Flash 9 at the last minute. I would bet that MySpace pressured Adobe into adding this to Flash 9 for the official release. I am a widget developer so I noticed that myspace started inserting allowNetworking=”internal” a week ago. Their first try at this broke all stickers being inserted for a while because it converted the EMBED src to lower case (breaking base64 codes, among other things). They quickly fixed that issue. I tried to search for references to allowNetworking in the Flash documentation and found only one reference. At the time, Google returned 16 results (all mostly irrelevant). I thought everything was okay, because I was using a beta release of Flash 9 (9,0,0,296 to be exact) - all of my stickers and links worked fine. 9,0,0,296 does not recognize allowNetworking=’internal’! As far as I know, 9,0,0,296 was the last beta release before the final one, please correct me if I am mistaken.

It looks like MySpace is bossing Adobe around, and it can with its market share. We’ll all be along for the ride.

Wait, wait… am I reading this right?

1. There is a flash worm spreading across MySpace. It spreads itself to users’ profile pages, by using several absolutely bone-headed security flaws with MySpace. It also directs users to an external page they may not have necessarily wanted to go to.

2. MySpace does not fix their own security problems.

3. MySpace gets Adobe to add a feature to prevent users from being directed to external pages. This, incidentally, destroys the functionality of a great many non-malicious Flash widgets users have already placed.

Good job, MySpace. You patched the symptoms and not the cause. God forbid you should actually, you know, rewrite some of your own crappy code now and then. Meanwhile you’ve pissed off a lot of innocent users.

Full disclosure: I work for a company that is currently pursuing an aggressive marketing campaign by distributing Flash widgets on MySpace. I do not believe this is a good use of our resources, or even that astroturfing is an acceptable method of marketing, but hey I’m not in charge around here.

Yeah, this has been interfering with our StyleFeeder widget. I think it’s still possible to have links to external sites as long as you use the target=”_blank” attribute, but I’m not 100% sure; we’re still testing.

The download page I see says Flash 9 is in beta.

It is really a shame that anytime there is a free cool (I don’t use it but obviously someone thinks it’s cool) service that a lot of people use it has to get all locked down because of a few jerks.

Flash Player 9 for Intel Macs is still in beta. For Windows and PowerPC Macs, it’s officially released. The regular download page is http://adobe.com/go/getflashplayer/. You might get redirected to the other one if you have an Intel Mac.

The mojungle player is a flash widget. We would love for MySpace to continue supporting 3rd party developers, but at the same time we are not platform dependent. Our player works on Xanga, Blogger and any HTML enabling site. I would argue this is the same for the majority widget developers.

This post is a little misleading. MySpace has no intention of preventing 3rd party widgets. They are simply requesting users to upgrade their version of Flash. As far as I am concerned this is a great thing. Our player is backwards compatible to Flash 6, but if 80 million plus users start downloading Flash 9, there is now a world of opportunity for mojungle.

I will say though that if MySpace has any intentions of using recent events as a reason for not supporting 3rd party developers, it will single handedly be the biggest mistake they have yet to make. Why burden your resources with product development when creating a stable platform for 3rd party developers has proven to be sufficient for user retention and growth?

am i the only one for whom everything seems to be working just fine?

Joe and anyone else who isn’t seeing a problem, the problem only occurs when you’ve upgraded to Flash 9. I’ve tried to clarify this, but I had people testing it for me all afternoon so I’m pretty sure that’s the case.

Just to clarify, because some of the comments seem confused. Widgets still embed fine and they can request data from external sources (like playlists for slideshows, etc.). What they can’t do is open a new browser window anymore. Most widgets have a link on them somewhere that the user can click on to go to the company home page or get a widget of their own. This link usually opens the target site in a new browser window using the ActionScript “getURL” command. The allowNetworking tag prevents this from working.

Existing code isn’t rewritten, it’s only when you add new code or edit your profile that the allowNetworking tag is added.

So click on a slideshow widget that was added to someone’s page 2 months ago and a new window will still popup. Add that same slideshow widget now or edit your profile, and when you click on it nothing will happen.

If you don’t have Flash Player 9, you won’t see this behavior. But I noticed when I logged in today that right after login they immediately showed a page with Flash 9 content in it to try to force an upgrade. According to the Adobe site, for Windows the latest plugin version number is 9.0,16,0.

For a long time MySpace has also been writing the allowScriptAccess=never tag into all Flash embeds, which is supposed to prevent the embed from calling any JavaScript in the host web page. The exploit somehow got around that with a bunch of evil cleverness.

They are also enforcing tighter control over leaving widgets in people’s comments pages. Usually the high-level setting a user has is to enable or disable HTML in comments. I did a quick test and tried to leave a widget in a comment on a MySpace page that had HTML comments enabled and saw the following message:

———-
The comment you submitted contains an embedded object. It must be approved by the user before it is displayed on their profile.
———-

So I logged in as the page owner and I had the following message waiting for me:

———-
Request to Approve Profile Comment with Embedded Content
Body: SomeUser has posted a new Profile comment about you on MySpace! Although your privacy settings allow Profile comments to be automatically posted, the following comment contains an embedded object. Embedded objects may generate popup ads, read cookie information, or perform other functions outside the scope of acceptable use. Please click the link below to view or deny this comment.
———-

The default action is to Deny the comment. It actually took me a minute to figure out how to Approve it (click on the view link, and from there you can Approve).

That’s what I knows…

I suspect this move was coming sooner or later, and the virus this weekend just sped up myspace’s decision to go forward with this change. While the companies that really want to do myspace widgets can’t link out of the site, I bet they _can_ link to another myspace profile. Those profiles could then have links to outside webpages. Since commercial myspace profiles cost companies thousands of dollars, I bet this is myspace just trying to grab some money from people they’ve previously seen as freeloaders on their site.

Or maybe this is just something that will happen as a result. Either way, it may make a viable revenue model for myspace as widgets become a larger market. What it does is let myspace some what control the advertising to other sites on myspace, even when those advertisements are added by their users as widgets.

Fun stuff!

The spelling of ‘alot’ is ‘a lot’. Can’t believe you’re a writer.

Perhaps the Mac version for FP 9 is in beta, but the PC version is indeed finalized. I wouldn’t imagine Adobe would ever make a beta version the main download link from their homepage.

Great, good job, you fixed it.

Yahoo is buying Facebook.

Marshall,
The linking back to the vendor is not necessary to get the widget. Take a look at the MySpace widgets on this guys site:
http://www.myspace.com/uberbelly
the little coloured players - halfway down - have “share this song”, and it provides the code within the player for copying the widget.

The bigger issue is how widget makers, like http://www.projectopus.com, is going to monitize the widget without a site to link back to.

How long before myspace start charging companies a ‘verification fee’ to allow their widgits (from their domain) to link to the outside world?

Also, Aaron Weber said that it still works is you use target = _blank… can any one verify this?

I tried target=”_blank” and pointing getURL to a MySpace internal page with absolute and relative paths. None of them worked.

Furthermore, an <a> tag within a Flash text object will show up as a link and not open, even if you right click on the link and select “open” or “open in new window”. Copying the link works on the other hand. This is just faulty behavior - further suggesting that this “feature” was rushed out the door by Adobe (in addition to its sudden appearance).

If the issue was fixing javascript execution through link opening, then they would have fixed that. This is really about blocking external linking period.

Where there’s a will to exploit myspace vulnerbilities, there’s a way.

I wonder how many ‘blingers’ actually know what the code they are insterting means?

You could almost insert an Steal this tag outside the tag and hope that they simply copy and paste the whole code.

Argh! sorry! I did not know HTML is enabled! It should read:

You could almost insert an <a href=”xxx” rel=”nofollow”>Steal this</a> tag outside the <embed> tag and hope that they simply copy and paste the whole code.

Well this is bad timing, I was just about to release one for my site. As Alastair mentions you can still add simple links underneath so it’s not a total disaster, most people will just paste the entire code.

Last month I was about to invest about $2,000 for flash widgets for my myspace resource site. I am glad that I haven’t done that. I feel sorry for companies like slide.com, yourock.com and so on.

I guess they found a new business plan by allowing certain companies that pay $$$ to link externally. Unless Facebook and other social networking websites start using this flash player 9 problem against myspace and get other myspace feeding companies to feed their websites.

They didn’t implement any type of “fix” for the situation. What they did was upgrade all their video/music player/etc flash to version 9, in the sad attempt that hopefully people will upgrade their flash players when a box pops up saying theirs is out of date.

In other words, it’s a big *hope*. They took the lazy mans approach to fixing the situation, and it’ll bite them in the ass in the long run.

If the new restriction is: ‘allowNetworking=”internal”’ doesn’t that mean that links to another page *within myspace.com* will still work. So couldn’t widget makers create a MySpace profile describing their widget with plain HTML links out to the official website and have their widgets link to the internal MySpace page? That even seems like a better solution for the user - they don’t have to leave MySpace to get more information about a widget.

Can anyone verify that *internal* links from widgets work?

Am I the only one thinking that user exclusion is a BIG PROBLEM in this move?

Flash 9 for Windows is officially out, the Mac version is in Beta, we Linux users have to wait until early 2007 before Adobe provides us with an update from Flash 7.

Should I take the view that Linux users are are getting shafted by Adobe, by Myspace, or by both?

No, they do not. “Internal” refers to allowing the internal networking functions of the Flash player to operate (such as those associated with XML get, image loading, etc) but not “external” functions that interact with the browser (such as opening a url in the browser.)

Neil… actually its the opposite (in this specific case). Since Linux users cant upgrade to 9… then the new “feature” wont work and all your external linking will work fine.

Be careful, myspace. Your site is a digital scrapbook for the user community. Take away the ability to drop functioningwidgets onto user pages, you’ll have a user stampede on your hands.

If I was in charge of user acquisition for Friendster/Bebo etc… I’d work all weekend developing a “We are widget friendly” campaign and capitalize on this myspace buzzkill.

myspace will be hacked to pieces like aol was.

I just posted about this as well as how to make sure your widgets embed in MySpace here - http://www.streampad.com/blog/?p=74

Basically, MySpace inserts allowNetworking=”internal” if you don’t already have it, but seems to do it in a bad way that breaks your code. My advice is to insert it yourself to make sure your widget is not broken.

Ari Mir: You wrote:

>>This post is a little misleading. MySpace has no intention of preventing 3rd party widgets. They are simply requesting users to upgrade their version of Flash. As far as I am concerned this is a great thing. tags before they publish your page:

allowscriptaccess=”never” allownetworking=”internal”

allowscriptaccess=”never” seems to be enough to make YouTube widgets unable to link out. allownetworking=”internal” is the death blow to the rest of the widget vendors.

For some reason that is unclear, MySpace fails to “properly” censor SOME tags. It *appears* to be related to sloppily copied and pasted code with extra spaces or missing closing tag or something similar.

Sorry my previous comment was butchered by TechCrunch’s tag censor Here again without any less-than signs and greater-than signs:

Ari Mir: You wrote:

[This post is a little misleading. MySpace has no intention of preventing 3rd party widgets. They are simply requesting users to upgrade their version of Flash. As far as I am concerned this is a great thing.]

Ari this is not correct. They actively censor content before they publish it. Otherwise anyone could post any JavaScript-based IE exploit and infect zillions of MyS users.

The news is, they now actively insert these attributes into embed tags, taking the “viralness” right out of “viral marketing”:

allowscriptaccess=”never”
allownetworking=”internal”

allowscriptaccess=”never” seems to be enough to make YouTube widgets unable to link out. allownetworking=”internal” is the death blow to the rest of the widget vendors.

For unclear reasons, MySpace fails to “properly” censor SOME tags. It *appears* to be related to sloppily copied-and-pasted widget code, with extra spaces or missing closing embed tag… if the embed code has unexpected errors, it seems to confuse MySpace’s censoring script, so some widgets will slip through if their embed tags are butchered enough…

So *that’s* why I get this message everytime I log in to MySpace:

“hey folks - we are moving myspace music players and video players to flash 9.0. flash 9 has security fixes so that people can’t mess with you on myspace. if your ‘about me’ got screwed up this weekend, you could have been safe if you had flash 9 installed. here’s an easy way to install it, go watch this dashboard video i posted last week. if you don’t like dashboard, just watch any video in our video section, and you’ll be prompted to install flash 9.”

“So people can’t mess with you.” Got it.

Why not just use a captcha when users try to modify their profiles? That way bots really can’t spread because automated profile editing becomes impossible. That’s way more secure and lets them keep their current model… no?

“My Users are Not Your Salesforce!” That’s what Myspace is telling third party widget makers that divert traffic away from Myspace.

I think competitors of Myspace will see this as a perfect chance to collude and do the same.

my pet widget code has *always* including an html link under the embed, and as far as i can tell, everyone includes that tag when they copy and paste the code into their myspace profile. the original reason i included the html link was for google pagerank purposes — think about it– but it looks like now there’s another good reason

This is actually not a Myspace blunder, but Adobe’s. The offending code was a getURL(’http://badwebsite’) statement, that got automatically executed by Actionscript when the offending flash gadget was loaded.

Adobe has to expose an API to the browser that clearly deifferentiates *automatic* execution of getURL() by the script from user-induced execution, such as when a user clicks on a link in Flash.

Incidentally, the same problem leads to erroneus pop-up blocking by IE of pages opened from flash with target=_blank, because IE cannot differentiate user-induced pop-ups.

Maybe somebody with good contacts can tell Adobe about this- we have a (non 2.0 flash website with 100s of thousands of users, but we cannot convey to Adobe this simple thing.

Hi, if you’d like the Adobe Flash Player to pass a message verifying click events to the various browsers, then that sounds like a good request to me too. You can get this into the Flash Player wishlist at http://www.adobe.com/go/wish, thanks.

… hmm, now that I think of it more, though, I’m not sure when such a thing may be practically deployable, because although it’s pretty quick to get a change into the single small SWF-rendering engine, it takes longer for matching changes to take effect in the world’s current browser pool, and each of these would have to successfully communicate with the various third-party window-blocking utilities out there. Might take awhile to distribute.

But it’d be great if the Player could successfully verify click events to the window-blocking utilities, could I ask you to get the request in at adobe.com/go/wish, please?

tx, jd/adobe

I think what MySpace (and and others) need to do is to create a while list of widgets that you need to register to. This will get rid of 99% of evil doers while having 99% of legit widgets approved. This can even be a 3rd party service - a TrustE Widget badge.

No Eyal, you obviously do not understand how startups work. It would be a death blow to most start-ups who rely on widgets, an entry barrier. Look how Myspace treated Youtube (when it banned it briefly before launching their own video service) or how Ebay was fighting with Paypal buttons and threatening them to create eBay’s own payment system