A Facebook developer named Yvo Schaap has uncovered a massive security flaw present on both Facebook and MySpace that would give hackers the ability to steal all of your account data, including your photos, personal messages, and basically everything else you’ve ever put on the social networks, without you ever realizing it.
Update: MySpace tells us that in their case no private data was actually exposed, see their statement below. However, Schaap believes that MySpace is simply wrong, and that they were in fact open to the exploit.
Schaap stumbled upon the exploit and contacted both Facebook and MySpace. According to his blog MySpace has since fixed the bug, and while his blog indicates that Facebook is still working on it we’ve confirmed that they’ve fixed it as well. So what exactly could the exploit do? From Schaap’s blog:
You don’t need much time to think of all the ways this could be exploited. All what has to happen is a active session, or a “auto login”-cookie and a URL which hosts a exploiting Flash file. For example when accessed, a automatic “post update” could be made, that would lure friends of the user to access the exploit URL, and the exploit would spread virally. An more invasive and hidden exploit could harvest all the users personal photo’s, data and messages to a central server without any trace, and there is no reason why this wouldn’t be happening already with both Facebook and MySpace data.
Schaap’s post is accurate regarding Facebook’s problem, but MySpace says none of their private data was compromised. However, Schaap believes the MySpace is totally wrong. We’re waiting for further clarification on their end. Here’s MySpace’s statement:
“We’re 100% dedicated to the safety and security of our users and immediately after MySpace’s security team identified this spoutbuilder issue we blocked spoutbuilder and then helped them resolve their vulnerability. No private MySpace data was exposed and the vulnerability was never exploited.”
If you’ve ever checked that ‘remember me’ button on Facebook the MySpace login screen and have at any point viewed a Flash app taking advantage of the exploit, it’s possible that all of your data was compromised. You wouldn’t even have to neccesarily open anything — if one of the infected items showed up in your News Feed you could have your data stolen without ever knowing it. Yeah, that’s pretty damn scary. For what it’s worth, Facebook gave us this statement:
The security of our users is a top priority for Facebook and we worked with the researcher who identified the issue to fix it. We have not received any reports that it was ever exploited.
Of course, Schaap pretty clearly writes that there’s no way for a user or even Facebook to tell if their data was harvested, so for all we know it could have been used by multiple developers for months or longer (Facebook is currently investigating how long the bug may have existed). Granted, Schaap could be the first developer to ever stumble across the exploit. But the potential of this bug is so huge — allowing a developer to mine all of the data for any user who accessed their app — that less honest developers may well have used the hack for their own benefit. Facebook has previously said that there are a whopping 300,000 developers building on its platform. And we’ve seen time and time again that some of those developers are not opposed to Black Hat tactics. MySpace has had its own problems.
This is obviously bad news for both social networks, but Facebook in particular has long been heralded as the safer of the two, with its extensive privacy settings and authentic identities. Yet the site has repeatedly seen glitches in its security. I’ve written before about the sorry state of our privacy and the security of our data online, and issues like this underscore that the problem isn’t getting any better. Facebook is no longer just a platform for learning about your college buddies — it’s a serious business, used for photos and messages that can be very sensitive. Hell, I’ve heard of journalists who regularly use Facebook to reach out to potential sources, when secrecy is of the utmost importance. Apparently that’s not a good idea.
The security vulnerability works by taking advantage of an oversight in a crossdomain.xml configuration file, which is used by Flash applets to determine if an application has permission to access data on that domain. The crossdomain.xml files at Facebook and MySpace were allowing any applet from any other domain to access data and the API. Combined with browsers keeping a record of your logged in session if you have checked ‘remember me’, the vulnerability means that an invisible Flash applet on any website you visit would be able to read out all your data and send it away somewhere else. For more on cross-domain requests and security, there is a write up explaining all the details.
If you’re interested in the nature of the exploit itself, head over to Schaap’s blog for a full description of how he stumbled on it.
Image by Lisanne!
Excellent reporting and article!
Facebook: “Move fast, break stuff.” Maybe not *too* fast, Facebook?
“Massive Facebook and MySpace Flash Vulnerability Exposes User Data”, kind of makes it look if Flash is to blame. In reality, the setup fb and ms have done is to blame.
Having a full open crossdomain.xml undermines the security model Flash has in place to make sure that authorized calls to other api’s then what the Flash needs can’t be made.
All in all, the crossdomain should have been setup correctly and a secondary security test for API calls should have been in place.
The title suggests this is a Flash exploit, while it’s honestly just a not very well thought through security model which allowed this to happen. If they would have been less lazy and implemented a proper crossdomain it wouldn’t have happened.
Flash gives you the locks, but if you leave the keys in……
100% agreed!
Anything truly private should not be put on a social network, simple.
This is so important. If you’re posting something on a social network you should expect it to be public, that’s the point. Privacy settings, sure, but the internet is not and never will be 100% safe. If you assume everything will be stolen, you’ll do okay. So don’t upload your sex photos in a private album, kids.
Flash applets ? WTF?!? you’ve just crawled out of the java applets seaspool
Wow, not going to be using Facebook until i know its fixed. Hope i haven’t been effected
Just use FlashBlock on Firefox and there’s nothing to worry about. Makes browsing better all around really.
I find it hard to believe no other developer has come across this exploit – that is, if its been open for any length of time. Schaap is probably the first to make it known. Facebook seem to be having their first negative week of posts in a long while on Techcunch. Good article.
For a while Facebook (don’t know about MySpace) had an unrestricted crossdomain.xml file. They secured it a while back. Looks like for some reason it got reverted.
Seems like issue was that they used to old crossdomain.xml file on http://www.conn...t.facebook.com/.
No one can create a zero bug application. Bugs and loopholes are part of applications.
But it would have been far better if facebook had discovered this themselves rather than being told by somebody else.
“Massive Facebook and MySpace Flash Vulnerability Exposes User Data”, kind of makes it look if Flash is to blame. In reality, the setup fb and ms have done is to blame.
Having a full open crossdomain.xml undermines the security model Flash has in place to make sure that authorized calls to other api’s then what the Flash needs can’t be made.
All in all, the crossdomain should have been setup correctly and a secondary security test for API calls should have been in place.
The title suggests this is a Flash exploit, while it’s honestly just a not very well thought through security model which allowed this to happen. If they would have been less lazy and implemented a proper crossdomain it wouldn’t have happened.
Flash gives you the locks, but if you leave the keys in……
wouldn’t this be more of an exploit caused by adobe, and flash , rather than the social networks themselves>
It’s a flash “feature” that the sites failed to protect against. That would be like blaming Ford when someone runs an old person over in a Ford car…
It’s not a case of ‘protecting against’ – the server admins would have to deliberately upload a crossdomain.xml file that specifically allows access from *all* domains for this situation to exist. The quotation marks around the word ‘feature’ in your post aren’t required – it *is* a well thought-out and useful feature.
No, Flash has a good security model. Of course, it relies on admins not leaving the door wide open.
I think the whole ideal of a “Social Network” invites the ideal to thieves of a “Kid in the candy store” mentality. Can a thief think of a better target for personal information? Many user’s are so stupid that they fail to realize the potential breach of personal information. Younger people especially who have not learned. Myself a personal victim of identity theft. I think if you made social sites more secure you would lose functionality. The whole ideal is sharing. But how you limit who gets that information is very hard to control as we have just learned.
Like Kevin Kelly said in his TED talk (http://www.ted....of_the_web.html), the future of the internet will require us all to be more open to sharing our information.
I am sure since facebook was kindly told of this powerful exploit that has been alive for quite some time now, that they are spending plenty of time and money to launch some more multi million dollar lawsuits, then they may find time to “patch” up the holes in their system. Lawsuits first, fix the problem later, that is if there is any budget left to pay some capable security experts to do proper work.
Its likely this same bug is present across 25% of the top 1000 sites online and today there is upper management forwarding this article to their tech teams, asking “are we covered”?
If the problem is mis-configured Flash/API at one site and malicious Flash applets at another, would you not be able to avoid this by surfing using Firefox with the Flashblock add-on/extension enabled?
When you arrive at a site where you are *expecting* to see a Flash object (like video) you can just press the button and watch. Increasing numbers of pages I visit have Flash bits hanging around in odd places, not adding to the experience. Mostly they are being used to collect Flash cookies as more and more people surf with cookie restrictions in place.
Combine the Flashblock add-on/extension with a carefully configured instance of the No-Script add-on/extension and you are cutting down hugely on your attackable surface area.
This is not a hole. This is like saying that if user granted a Facebook app permission to get data, the app can get the data. It is supposed to do that.
You’re wrong.
“You’re wrong.”
totally meaningless without explaining why. don’t you have a worthwhile point of view?
Reread the article, Techcrunch for example (or any website for that matter) could have installed a Flash file on this site to suck all your Facebook data out. Flash stores connection data etc on your computer, any Flash program reads the file, connects to FB and gets everything without you knowing because FB didn’t make sure request came from only FB servers. The is a major security flaw and was FB and MySpace’s fault.
Ok so You have to use an app using the cross-domain+leave your session on+go to a site that is checking for the hole.Yeah, MASSIVE vulnerability…
In case of MySpace their crossdomain.xml file was never open to *, only api.myspace.com has a completely open cross domain policy. All end points under that are protected with more than just cookie checks.
In case it’s helpful, here’s a more thorough description of the technical details:
http://shiflett...crossdomain.xml