Linked by Kroc Camen on Wed 7th Apr 2010 08:19 UTC
Bugs & Viruses Via Ha.ckers.org, we get news of a cross-domain flaw using Flash or Silverlight content that allows the attacker to use the victim's browser as a proxy, including access to the user's session. Erlend Oftedal, the developer, explains how the system works and demonstrates the concept with a video. The flaw stems from developers lackadaisically allowing cross-domain requests from Flash across their whole domain (which obviously includes the user-account interactions); even Flickr and YouTube were culprits at one point.
Permalink for comment 417525
To read all comments associated with this story, please click here.
Not news, or a flaw
by spookylukey on Wed 7th Apr 2010 10:57 UTC
spookylukey
Member since:
2010-04-07

crossdomain.xml files are a deliberate mechanism to remove the protection afforded by the Same Origin policy. If a developer creates one, they are deliberately removing or loosening a security measure.

This article is the equivalent of pointing out that removing locks from your doors is a bad idea, because it allows people to get in even if they don't have the keys. Of course that is true, but not worthy to be called either news or a flaw.

Reply Score: 2