From the looks of things a Dutch developer, Yvo Schaap (blog link above) stumbled on a back door into any user account that accesses the application he's working on.

He discovered the problem while trying to get around a function limitation on his application and in doing so, realised he could modify the account settings. Even worse - his illegitimate interventions into the account couldn't even be traced!



The crux of the matter?
"Adobe introduced a "crossdomain.xml" file which could allow certain domains accessing another domain, leading to cross domain access by certain or all domains."

Facebook did block access through Flash from any non-facebook domain but this didn't go the whole way. By simply changing the subdomain you can circumvent the barrier and access domain data.

"This wouldn't be a big deal if the subdomain only hosts images, but unfortunately this domain hosts the whole Facebook property, including a facebook user session. If you have auto-login enabled on Facebook, you might recognize your fullname and the keys to do actions from the accounts credentials."

It's not just limited to Facebook, MySpace suffers from the same issue. Yvo continues :

"All what has to happen is an active session, or a "auto login"-cookie and a URL which hosts a exploiting Flash file. For example when accessed, a automatic "post update" could be made, that would lure friends of the user to access the exploit URL, and the exploit would spread virally. An more invasive and hidden exploit could harvest all the users personal photo's, data and messages to a central server without any trace, and there is no reason why this wouldn't be happening already with both Facebook and MySpace data."