Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 30th, 2011

Facebook Mobile API XSS Vulnerability Used To Launch Spam Worm

A Facebook cross-site scripting (XSS) vulnerability was used to launch a self-propagating spam worm on the social network, according to security researchers from Symantec. The XSS vulnerability was located in the Facebook mobile API and was caused by insufficient JavaScript validation.

In order to exploit it, attackers created a Web page containing a specially crafted iframe element that forced all logged in Facebook users visiting it to post rogue messages on their walls. By crafting the spammed message to lure users into visiting the malicious site, the hackers were able to create a self-propagating worm.

The Symantec experts say the vulnerability was exploited in more limited attacks before being used to launch the worm, but also note that more copy cats followed the initial wave.

Some browsers have anti-XSS filters built-in by default, but they are not very efficient. The only one that can block a significant number of attacks is included in the NoScript Firefox extension.

XSS worms used to be quite frequent in 2009, however, social media websites have since gotten better at preventing such attacks. Nevertheless, some continue to pop up from time to time. Actually, the last one launched on Facebook occurred earlier this month and was used to spread weight loss spam.

In October last year, French security researchers demonstrated two information stealing worms that worked by exploiting cross-site request forgery and cross-site scripting vulnerabilities on Facebook.

According to Symantec’s Candid Wueest, Facebook has since addressed the vulnerability. “Facebook has informed us that they have patched this XSS vulnerability. In addition, they are currently working on steps to remediate damage caused by the attacks,” he says.

Last year Twitter was hit by a massive and more resilient XSS worm that locked hundreds of thousands of users out of their accounts.

Credit: News

Share this item with others:

More on CyberInsecure:
  • Four Cross-scripting Vulnerabilities Found on Facebook Pose Serious Privacy Risk
  • New Storm Worm Spam Campaign Mentions FBI And Facebook
  • XSS Worm At Affects 2525 Profiles
  • MySpace And Facebook Users Targeted By New Worms
  • Old Facebook Worm Using New Ways To Spread By Abusing Google Reader And Picasa Websites

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Facebook Mobile API XSS Vulnerability Used To Launch Spam Worm

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.