The crossdomain.xml Witch Hunt

01 Oct 2006

After disclosing the security vulnerability in Flickr (a result of its crossdomain.xml policy), a number of other major web sites have been identified as being vulnerable to the same exploit: using cross-domain Ajax requests for CSRF. Among these new discoveries are YouTube and Adobe.

This is an inherent risk that exists whenever you disclose a new exploit. Because this exploit is the first of its kind, there are numerous web sites that are potentially vulnerable. I've made a sincere attempt to notify those who I know are vulnerable, but there's only so much a bit of Google searching can reveal.

Roderick Divilbiss wondered why more people aren't paying attention to this discovery:

Such a simple, yet potentially damaging vector. I am dismayed that so few people have bothered to Digg this.

Someone else mentioned that disclosing this vulnerability before Flickr had a chance to fix it would have been a better tactic for spreading the word, but added that he was glad I waited. I'm well aware of the merits of full disclosure, but I prefer to give people time. Flickr certainly didn't abuse my trust and patience; in just 12 days, a fix was in place. If everyone was this responsible, the Web would be a safer place.

For more information about the exploit, see Cross-Domain Ajax Insecurity and The Dangers of Cross-Domain Ajax with Flash.

In a Flash Player TechNote, Adobe warns about an open policy that permits all sites to send cross-domain requests:

This practice is suitable for public servers, but should not be used for sites located behind a firewall because it could permit access to protected areas. It should not be used for sites that require authentication in the form of passwords or cookies.

As written, the warning is a bit unclear. Does Adobe already know about this exploit? Here's their current crossdomain.xml policy:

  1. <cross-domain-policy>
  2.     <allow-access-from domain="*"/>
  3.     <allow-access-from domain="*" secure="false"/>
  4.     <allow-access-from domain="*" secure="false"/>
  5. </cross-domain-policy>

If they demonstrate the vulnerability themselves, it doesn't seem likely they're aware of it.

A relatively new site has popped up at that lists sites with open policies. It already lists the new location of Flickr's policy, so it's pretty current.