« FLV vs WMP | Main | Google News operators »

July 19, 2006

MySpace exploit

MySpace exploit: This has been getting press this week -- I first saw it from varied tech blogs this weekend -- but I don't have enough first-hand info to write anything useful, which is why I haven't. ;-) It sounds like an HTTP redirect via SWF is rewriting some of the permissions exposed in HTML, another variant of the old problem of accepting and hosting user content on your own site. (See pseudoynymous ActionScript deconstruction.) The general place for security changes to the Adobe Flash Player itself is here; whitepapers and more on Adobe security practices are here. That's what I've got myself on the issue; please drop a tip in comments here if you see other action items for Adobe staffers, thanks.

Posted by JohnDowdell at July 19, 2006 11:21 AM

Trackback Pings

TrackBack URL for this entry:
http://weblogs.macromedia.com/mtadmin/mt-tb.cgi/7574

Comments

MySpace's solution is to upgrade their widgets to Flash 9. While I'm happy to have 25 million users upgrade I question whether this is the resposible answer to their security flaws?

Posted by: chadvavra at July 19, 2006 11:36 AM

The article made it sound like it was more like the Flash player's fault than MySpace's lax security.
Thats kindof annoying.

Posted by: Ash at July 19, 2006 12:19 PM

Unrelated, but similar: There's an actual MySpace security exploit discussed today at Washington Post, where a graphics file used an old flaw in Windows to install trojans onto the machine. The MySpace SWF exploit gave unauthorized access to MySpace profile preferences; this exploit actually installs evil executable code onto visitors' machines. (Windows is a big target, so if using this OS it's vital to keep up-to-date on security fixes.)

Posted by: John Dowdell at July 19, 2006 01:27 PM

I think the falw is 2 fold. Partially it's within Flash and partially it's within the way Myspace lets a user write [upload] files to their servers.

Posted by: chadvavra at July 20, 2006 06:31 AM

hey i know this lady that hacked into some of my friends myspaces can u get in trouble for that? and if so what would happen??

Posted by: Samaria Brown at February 19, 2008 05:54 PM