About the Author

Chris Shiflett

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

YouTube Fixes Security Vulnerability

Until recently, YouTube has been vulnerable to cross-domain Ajax attacks due to their open crossdomain.xml policy. I notified them as soon as I discovered the vulnerability, and although I have yet to receive a reply, it appears they have fixed the problem:

<cross-domain-policy> 
    <allow-access-from domain="*.youtube.com" /> 
</cross-domain-policy>

Unfortunately, this is causing problems for some Flash / Flex developers who use YouTube's API, and no information has been published to provide a reason for the change or advice on how to work within the new constraints. In fact, I'm not positive that my report prompted the change. It could be a coincidence.

Renaun Erickson writes:

Seems like we need some Adobe dev center write ups in this area, touching on Mashups, Open APIs, and proper usage of crossdomain.xml when used with other systems in place.

I agree, but at the moment, Adobe is setting a bad example:

<cross-domain-policy> 
    <allow-access-from domain="*" /> 
    <allow-access-from domain="*.macromedia.com" secure="false" /> 
    <allow-access-from domain="*.adobe.com" secure="false" /> 
</cross-domain-policy>

Unlike Flickr, YouTube didn't just move their API to a separate domain. Instead, they closed it to *.youtube.com. Joe Berkovitz, a Flash / Flex developer and author of ReviewTube, would rather see them take Flickr's approach:

YouTube, if you want to be safe and not screw up Flash / Flex developers, please move your API to a different domain and put a liberal crossdomain.xml on that host. Thanks.

John Dowdell, who works for Adobe, also wrote about this issue. Hopefully Adobe will begin to educate developers about the security risks.

About This Post

YouTube Fixes Security Vulnerability was posted on Thu, 21 Dec 2006 at 07:11:04 GMT.

2 Comments

1. Simon Morris's GravatarSimon Morris said:

Don't expect to receive a reply. I found an XSS vulnerability and the problem was fixed after I sent an email to the webmaster but I received no contact with them later. Perhaps because you're slightly more well known ( or even known ) ....

Thu, 21 Dec 2006 at 08:17:19 GMT Link

2. Swetlana Maßat's GravatarSwetlana Maßat said:

Great and excellent article t’s realy helpful. Thanks again.

Fri, 29 Dec 2006 at 13:03:04 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Events

Brooklyn Beta

21 - 22 Oct 2010

At The Invisible Dog, Brooklyn, New York.

New Comments

Mario Arroyo wrote:

The article is really very good and the users comments and external links to another articles jus...

Posted in
Raphael Almeida wrote:

I realy like hiphop music, but this is very crazy! We'll use it in user group PHP conference at ...

Posted in PHP Anthem
Mal wrote:

Having used smarty for many years, this has never been a problem for me, but after building a web...

Posted in PHP Stripping Newlines
Satya wrote:

Thanks for the info. I have posted the news here on my page: http://www.facebook.com/pages/Web-Sc...

Posted in PHP Anthem
John wrote:

Oh, you need to press "save your password".

Posted in Mozilla Account Manager

Browse Comments

Work and Books

Analog Essential PHP Security HTTP Developer's Handbook