Facebook, MySpace backdoor exposed user accounts
Facebook and MySpace have closed gaping security holes in their sites that gave attackers full access to accounts that had automatic-login features enabled. The vulnerabilities, documented here by a Facebook application developer, were significant. Because the unauthorized access would be mapped to the victim's IP address and …
Yet another reason why Adobe Flash should NOT be the underlying software on so many websites. Putting all your security eggs in their leaky basket is just ASKING for trouble.
What happened to the days where Flash was merely a single plugin element on a site instead of the ENTIRE FARKING SITE?
Besides... It makes it more annoying to download the *ahem* pictures that should be saved for offline viewing. Not impossible of course... Just more annoying.
Couldn't agree more, Flash has become like a pox on the net, and it's users that have to take all the risks just access content.
I use no flash or javascript on my site, and yet it's usable on 99% of devices, and it's till interactive. I want the functionality that it provides, so as the server admin, I take the risk rather than pushing it onto users.
Now that Facebook has "vanity" ID's, half of the security of a user's logon is gone. It used to be that for someone to get into my account, they had to know what email address I used, plus my password. Now they know my logon ID, as the vanity ID can be used as a login. And of course, they can get that from the URL of my profile page.
Now all they need is to guess my password, since they already have my logon ID.
Kind of lame that Facebook does something so obvious as this.
missing the point a bit - it's not that flash is widely used on facebook (it's not) and it's certainly not the "underlying software" - it's just that one of the bits that DOES use it didn't specify that external flash apps weren't allowed to access it programatically. a very epic fail, yes, but not one that relies on "the ENTIRE FARKING SITE" being flash
If the site owners actually employed someone behind the HELP link, they could have been aware of the problems as soon as they turned up, but no, there is no one home, other than a robot or robot like person with FAQs stuffed to standard output.
I've been posting to them for for weeks reporting the problem but .....
And no, it isn't fixed!
Or maybe it is some other robot, trying to nab log in credentials as of today.
So again, I cannot log in, but get the Error Message "Too many failed log in attempts from this eMail", then a none working CATCHPA device cycles through taking my details again, and then presenting fresh blank input fields when SUBMIT is clicked.
It should be shut down, at least I'd get some work done then.
ALF
Hardly the fault of Flash if MySpace left the front door locked (as is the default) but deliberately decided to leave the back door open.
To repeat: MySpave had to *deliberately* make a positive choice to enable this to happen. By default Flash is very good at locking off cross domain attacks.
Sign up, sign up for The Register's weekly IT security newsletter - click here
