About the Author

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

YouTube Fixes Security Vulnerability

Thu, 21 Dec 2006 at 07:11:04 GMT
2 Comments
References

Until recently, YouTube has been vulnerable to cross-domain Ajax attacks due to their open crossdomain.xml policy. I notified them as soon as I discovered the vulnerability, and although I have yet to receive a reply, it appears they have fixed the problem:

<cross-domain-policy> 
    <allow-access-from domain="*.youtube.com" /> 
</cross-domain-policy>

Unfortunately, this is causing problems for some Flash / Flex developers who use YouTube's API, and no information has been published to provide a reason for the change or advice on how to work within the new constraints. In fact, I'm not positive that my report prompted the change. It could be a coincidence.

Renaun Erickson writes:

Seems like we need some Adobe dev center write ups in this area, touching on Mashups, Open APIs, and proper usage of crossdomain.xml when used with other systems in place.

I agree, but at the moment, Adobe is setting a bad example:

<cross-domain-policy> 
    <allow-access-from domain="*" /> 
    <allow-access-from domain="*.macromedia.com" secure="false" /> 
    <allow-access-from domain="*.adobe.com" secure="false" /> 
</cross-domain-policy>

Unlike Flickr, YouTube didn't just move their API to a separate domain. Instead, they closed it to *.youtube.com. Joe Berkovitz, a Flash / Flex developer and author of ReviewTube, would rather see them take Flickr's approach:

YouTube, if you want to be safe and not screw up Flash / Flex developers, please move your API to a different domain and put a liberal crossdomain.xml on that host. Thanks.

John Dowdell, who works for Adobe, also wrote about this issue. Hopefully Adobe will begin to educate developers about the security risks.

About This Post

YouTube Fixes Security Vulnerability was posted on Thu, 21 Dec 2006 at 07:11:04 GMT.

2 Comments

1. Simon Morris said:

Don't expect to receive a reply. I found an XSS vulnerability and the problem was fixed after I sent an email to the webmaster but I received no contact with them later. Perhaps because you're slightly more well known ( or even known ) ....
Thu, 21 Dec 2006 at 08:17:19 GMT Link

2. Swetlana Maßat said:

Great and excellent article t’s realy helpful. Thanks again.
Fri, 29 Dec 2006 at 13:03:04 GMT Link

Niall Kelly wrote:: Having tried other methods without success and looked through plenty of bloated documentation, th...; Posted in Git on Snow Leopard
liukang wrote:: I have problem with this example. In my php.ini magic_quotes_gpc is off so i'm using only addsla...; Posted in addslashes() Versus mysql_real_escape_string()
RyanTheGreat wrote:: Well, I'm not Chris, but I will do my best to address the questions raised in the comments by Ian...; Posted in Security Corner: Cross-Site Request Forgeries
Chris Shiflett wrote:: Thanks for the kind words, Simon. I'm glad you liked the tutorial. In case it's helpful, here'...; Posted in Webstock
Chris Shiflett wrote:: Hi Robin, I plan to post something about it, but it's going to be hard to express everything i...; Posted in Webstock