Massive Facebook And MySpace Flash Vulnerability Exposes User Data (Updated)

A Facebook developer named Yvo Schaap has uncovered a massive security flaw present on both Facebook and MySpace that would give hackers the ability to steal all of your account data, including your photos, personal messages, and basically everything else you’ve ever put on the social networks, without you ever realizing it.
Update: MySpace tells us that in their case no private data was actually exposed, see their statement below. However, Schaap believes that MySpace is simply wrong, and that they were in fact open to the exploit.

Schaap stumbled upon the exploit and contacted both Facebook and MySpace. According to his blog MySpace has since fixed the bug, and while his blog indicates that Facebook is still working on it we’ve confirmed that they’ve fixed it as well. So what exactly could the exploit do? From Schaap’s blog:

You don’t need much time to think of all the ways this could be exploited. All what has to happen is a active session, or a “auto login”-cookie and a URL which hosts a exploiting Flash file. For example when accessed, a automatic “post update” could be made, that would lure friends of the user to access the exploit URL, and the exploit would spread virally. An more invasive and hidden exploit could harvest all the users personal photo’s, data and messages to a central server without any trace, and there is no reason why this wouldn’t be happening already with both Facebook and MySpace data.

Schaap’s post is accurate regarding Facebook’s problem, but MySpace says none of their private data was compromised. However, Schaap believes the MySpace is totally wrong. We’re waiting for further clarification on their end. Here’s MySpace’s statement:

“We’re 100% dedicated to the safety and security of our users and immediately after MySpace’s security team identified this spoutbuilder issue we blocked spoutbuilder and then helped them resolve their vulnerability. No private MySpace data was exposed and the vulnerability was never exploited.”

If you’ve ever checked that ‘remember me’ button on Facebook the MySpace login screen and have at any point viewed a Flash app taking advantage of the exploit, it’s possible that all of your data was compromised. You wouldn’t even have to neccesarily open anything — if one of the infected items showed up in your News Feed you could have your data stolen without ever knowing it. Yeah, that’s pretty damn scary. For what it’s worth, Facebook gave us this statement:

The security of our users is a top priority for Facebook and we worked with the researcher who identified the issue to fix it. We have not received any reports that it was ever exploited.

Of course, Schaap pretty clearly writes that there’s no way for a user or even Facebook to tell if their data was harvested, so for all we know it could have been used by multiple developers for months or longer (Facebook is currently investigating how long the bug may have existed). Granted, Schaap could be the first developer to ever stumble across the exploit. But the potential of this bug is so huge — allowing a developer to mine all of the data for any user who accessed their app — that less honest developers may well have used the hack for their own benefit. Facebook has previously said that there are a whopping 300,000 developers building on its platform. And we’ve seen time and time again that some of those developers are not opposed to Black Hat tactics. MySpace has had its own problems.

This is obviously bad news for both social networks, but Facebook in particular has long been heralded as the safer of the two, with its extensive privacy settings and authentic identities. Yet the site has repeatedly seen glitches in its security. I’ve written before about the sorry state of our privacy and the security of our data online, and issues like this underscore that the problem isn’t getting any better. Facebook is no longer just a platform for learning about your college buddies — it’s a serious business, used for photos and messages that can be very sensitive. Hell, I’ve heard of journalists who regularly use Facebook to reach out to potential sources, when secrecy is of the utmost importance. Apparently that’s not a good idea.

The security vulnerability works by taking advantage of an oversight in a crossdomain.xml configuration file, which is used by Flash applets to determine if an application has permission to access data on that domain. The crossdomain.xml files at Facebook and MySpace were allowing any applet from any other domain to access data and the API. Combined with browsers keeping a record of your logged in session if you have checked ‘remember me’, the vulnerability means that an invisible Flash applet on any website you visit would be able to read out all your data and send it away somewhere else. For more on cross-domain requests and security, there is a write up explaining all the details.

If you’re interested in the nature of the exploit itself, head over to Schaap’s blog for a full description of how he stumbled on it.

Image by Lisanne!