YouTube Fixes Security Vulnerability

• Thu, 21 Dec 2006 at 07:11:04 GMT
• 2 comments
• tweets

Until recently, YouTube has been vulnerable to cross-domain Ajax attacks due to their open crossdomain.xml policy. I notified them as soon as I discovered the vulnerability, and although I have yet to receive a reply, it appears they have fixed the problem:

<cross-domain-policy> 
    <allow-access-from domain="*.youtube.com" /> 
</cross-domain-policy>

Unfortunately, this is causing problems for some Flash / Flex developers who use YouTube's API, and no information has been published to provide a reason for the change or advice on how to work within the new constraints. In fact, I'm not positive that my report prompted the change. It could be a coincidence.

Renaun Erickson writes:

Seems like we need some Adobe dev center write ups in this area, touching on Mashups, Open APIs, and proper usage of crossdomain.xml when used with other systems in place.

I agree, but at the moment, Adobe is setting a bad example:

<cross-domain-policy> 
    <allow-access-from domain="*" /> 
    <allow-access-from domain="*.macromedia.com" secure="false" /> 
    <allow-access-from domain="*.adobe.com" secure="false" /> 
</cross-domain-policy>

Unlike Flickr, YouTube didn't just move their API to a separate domain. Instead, they closed it to *.youtube.com. Joe Berkovitz, a Flash / Flex developer and author of ReviewTube, would rather see them take Flickr's approach:

YouTube, if you want to be safe and not screw up Flash / Flex developers, please move your API to a different domain and put a liberal crossdomain.xml on that host. Thanks.

John Dowdell, who works for Adobe, also wrote about this issue. Hopefully Adobe will begin to educate developers about the security risks.