Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 23rd, 2008

New Cross-Site Scripting Vulnerability Found On Facebook

According to XSSed, Facebook is vulnerable to a cross site scripting flaw that leaves its users at risk from scripting attacks and logins phishing. The security blog has posted a proof of concept demo of a flaw on the social networking website that could leave surfers vulnerable to malware. Attackers can also trick users into handing over their credentials through fake logins served up from third party sites.

Here is a harmless proof of concept, shown at XSSed:

Security watchers say that malware authors, spammers and scammers are paying increasing attention to social networking websites. This recent Facebook vulnerability comes shortly after the cross-site scripting exposure on

Additional warnings of this kind of vulnerability come as network security firm Sophos detected a 419 scam email on business-focused social networking site LinkedIn earlier this week.

At this moment the flaw is still open. Facebook has been already notified of the vulnerability.

Update (May 27):  Facebook has fixed this vulnerability a couple of days ago.

Share this item with others:

More on CyberInsecure:
  • Facebook Mobile API XSS Vulnerability Used To Launch Spam Worm
  • Cross-Site Scripting Vulnerability On Paypal Could Be Used In Phishing Attacks
  • Cross-site Scripting Vulnerability Found In MI5 Website By A Hacker
  • Four Cross-scripting Vulnerabilities Found on Facebook Pose Serious Privacy Risk
  • Another Cross-Site Scripting Vulnerability On eBay Domain Sites Allows Phishing

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: New Cross-Site Scripting Vulnerability Found On Facebook

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.