One of the things I love to talk about when I’m ranting about the improper use of the same origin policy to dictate how we as security professionals are auditing a website is the use of APIs. Hackers don’t care that your browser sees them as different domains. If they can attack the API and that API has access to the same data that the main website does, but without the controls in place to lock it down, that much the better. Anyway, all of this and much much more will be covered in the OWASP preso that I’m doing in Minnesota on Feb 11th, for those of you who live nearby. But let me return to my rant for a second.
As Rosario pointed out, although this does end up on MySpace it wouldn’t make for a good worm, as the mobile platform doesn’t use the same credential as the website, so it would be impossible to propagate unless someone happened to be logged into the mobile platform when they visited an attacker’s malicious profile. Yes, folks, APIs need to be secured in the same way the website is. You are only as strong as the weakest link, and if you aren’t auditing those APIs you aren’t finding all your holes. Nice work by Rosario!