Massive Facebook and MySpace Flash Vulnerability Exposes User Data

by Jason Kincaid

A Facebook developer named Yvo Schaap has uncovered a massive security flaw present on both Facebook and MySpace that would give hackers the ability to steal all of your account data, including your photos, personal messages, and basically everything else you’ve ever put on the social networks, without you ever realizing it.

Schaap stumbled upon the exploit and contacted both Facebook and MySpace. According to his blog MySpace has since fixed the bug, and while his blog indicates that Facebook is still working on it we’ve confirmed that they’ve fixed it as well (we’re waiting on a statement from MySpace). So what exactly could the exploit do? From Schaap’s blog:

You don’t need much time to think of all the ways this could be exploited. All what has to happen is a active session, or a “auto login”-cookie and a URL which hosts a exploiting Flash file. For example when accessed, a automatic “post update” could be made, that would lure friends of the user to access the exploit URL, and the exploit would spread virally. An more invasive and hidden exploit could harvest all the users personal photo’s, data and messages to a central server without any trace, and there is no reason why this wouldn’t be happening already with both Facebook and MySpace data.

In other words, if you’ve ever checked that ‘remember me’ button on Facebook or MySpace’s login screen and have at any point viewed a Flash app taking advantage of the exploit, it’s possible that all of your data was compromised. You wouldn’t even have to neccesarily open anything — in Facebook’s case, if one of the infected items showed up in your News Feed you could have your data stolen without ever knowing it. Yeah, that’s pretty damn scary. For what it’s worth, Facebook gave us this statement:

The security of our users is a top priority for Facebook and we worked with the researcher who identified the issue to fix it. We have not received any reports that it was ever exploited.

Of course, Schaap pretty clearly writes that there’s no way for a user to tell if their data was harvested, so for all we know it could have been used by multiple developers for months or longer (Facebook is currently investigating how long the bug may have existed). Granted, Schaap could be the first developer to ever stumble across the exploit. But the potential of this bug is so huge — allowing a developer to mine all of the data for any user who accessed their app — that less honest developers may well have used the hack for their own benefit. Facebook has previously said that there are a whopping 300,000 developers building on its platform. And we’ve seen time and time again that some of those developers are not opposed to Black Hat tactics. MySpace has seen its own share of problems.

This is obviously bad news for both social networks, but Facebook in particular has long been heralded as the safer of the two, with its extensive privacy settings and authentic identities. Yet the site has repeatedly seen glitches in its security. Today’s bug is by far the worst vulnerability in recent memory.

The security vulnerability works by taking advantage of an oversight in a crossdomain.xml configuration file, which is used by Flash applets to determine if an application has permission to access data on that domain. The crossdomain.xml files at Facebook and MySpace were allowing any applet from any other domain to access data and the API. Combined with browsers keeping a record of your logged in session if you have checked ‘remember me’, the vulnerability means that an invisible Flash applet on any website you visit would be able to read out all your data and send it away somewhere else. For more on cross-domain requests and security, there is a write up explaining all the details.

If you’re interested in the nature of the exploit itself, head over to Schaap’s blog for a full description of how he stumbled on it.