Web developer Yvo Schaap has discovered that Facebook and Myspace have been being overgenerous in assigning privileges for Flash applications, allowing Schaap's Flash application to access another user's entire Facebook data.
Flash applications are only normally able to access resources on the server from which they have been loaded. In order to allow developers to design applications with more flexibility, Abode has, however, introduced the option of explicitly granting access to other servers. This is achieved by means of the crossdomain.xml file in a web server's root folder. Facebook had used this to grant the right to access the main domain to trusted sites via instructions such as: