About the Author

Chris Shiflett

Hi, I’m Chris: web craftsman, community leader, husband, father, and partner at Fictive Kin.

The crossdomain.xml Witch Hunt

After disclosing the security vulnerability in Flickr (a result of its crossdomain.xml policy), a number of other major web sites have been identified as being vulnerable to the same exploit: using cross-domain Ajax requests for CSRF. Among these new discoveries are YouTube and Adobe.

This is an inherent risk that exists whenever you disclose a new exploit. Because this exploit is the first of its kind, there are numerous web sites that are potentially vulnerable. I've made a sincere attempt to notify those who I know are vulnerable, but there's only so much a bit of Google searching can reveal.

Roderick Divilbiss wondered why more people aren't paying attention to this discovery:

Such a simple, yet potentially damaging vector. I am dismayed that so few people have bothered to Digg this.

Someone else mentioned that disclosing this vulnerability before Flickr had a chance to fix it would have been a better tactic for spreading the word, but added that he was glad I waited. I'm well aware of the merits of full disclosure, but I prefer to give people time. Flickr certainly didn't abuse my trust and patience; in just 12 days, a fix was in place. If everyone was this responsible, the Web would be a safer place.

For more information about the exploit, see Cross-Domain Ajax Insecurity and The Dangers of Cross-Domain Ajax with Flash.

In a Flash Player TechNote, Adobe warns about an open policy that permits all sites to send cross-domain requests:

This practice is suitable for public servers, but should not be used for sites located behind a firewall because it could permit access to protected areas. It should not be used for sites that require authentication in the form of passwords or cookies.

As written, the warning is a bit unclear. Does Adobe already know about this exploit? Here's their current crossdomain.xml policy:

    <allow-access-from domain="*"/> 
    <allow-access-from domain="*.macromedia.com" secure="false"/> 
    <allow-access-from domain="*.adobe.com" secure="false"/> 

If they demonstrate the vulnerability themselves, it doesn't seem likely they're aware of it.

A relatively new site has popped up at crossdomainxml.org that lists sites with open policies. It already lists the new location of Flickr's policy, so it's pretty current.

About this post

The crossdomain.xml Witch Hunt was posted on Sun, 01 Oct 2006. If you liked it, follow me on Twitter or share:


1.Chris Shiflett said:

Oprah.com is vulnerable and has been notified:


Mon, 02 Oct 2006 at 02:35:57 GMT Link

2.Matthew Purdon said:

I find it really funny that this is such a big deal now. I have been using token based forms for a couple of years now simply because it is the most effective means of preventing duplicate form submissions. I keep the tokens (along with user data history) in a page and form name concatenated specific session array so that there are no collisions.

Wed, 04 Oct 2006 at 13:53:36 GMT Link

3.Chris Shiflett said:

Hi Matthew,

Thanks for the comment. I wish we were all so lucky, then this wouldn't be such a big problem. :-)

Wed, 04 Oct 2006 at 14:04:32 GMT Link

4.Chris Shiflett said:

This story is being discussed by others in the web application security community:



Wed, 11 Oct 2006 at 03:33:24 GMT Link

5.Chris Shiflett said:

The same vulnerability has been discovered on Facebook and MySpace, and both sites have fixed it.

Thu, 05 Nov 2009 at 21:45:55 GMT Link

Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.