Revealing Facebook Application XSS Holes

Beginning tomorrow, September 1st, I will begin posting full technical details of cross-site scripting vulnerabilities that I have discovered in Facebook applications. Following the model of the Month of Twitter Bugs, I will notify each application developer 24 hours prior to revealing any holes. After 24 hours have passed, I will publish a new post on theharmonyguy.com with the title “FAXX Hack:” (for Facebook Application XSS/XSRF) and the name of the application. I will also publish a corresponding update to my Twitter account with the hashtag #FAXX and a link to the post. (Update (9/10): I appreciate the input from several people regarding timing, and I’ve changed my mind – I’ll wait for patches before posting holes. I certainly want to uphold ethical disclosures, and in hindsight the 24-hour rule probably wasn’t a good idea. My bad, and once again I’m grateful for other perspectives. I am rather new to all this.)

At this time, I have found five widely used Facebook applications vulnerable to XSS. I intend to look for more over the next few days, and I am open to submissions from others via theharmonyguy on Gmail. I will give full credit for any new holes submitted.

Once I have posted all known XSS vulnerabilities in Facebook applications, I plan on releasing the full source code of XSS/CSRF demos I have created which demonstrate the ways a hacker can exploit such problems.

Let the games begin.

8 Comments

Fuad Ahasan Chowdhury says:
September 7, 2009 at 5:42 am

let’s begin :)
ds r4 says:
October 6, 2009 at 1:56 am

it’s a very interesting idea to launch facebook games, Lets start as Mr chowdhary said. Thanks for sharing.
ds cartes says:
February 10, 2010 at 8:30 am

Thank you to share!
Anonymous says:
April 9, 2010 at 5:51 am

I found your blog on google and read a few of your other posts. I just added you to my Google News Reader. Keep up the fantastic work Look forward to reading more from you in the future.
Medyumlar says:
June 3, 2010 at 11:04 am

I found your blog on google and read a few of your other posts. I just added you to my Google News Reader. Keep up the fantastic work Look forward to reading more from you in the future.
medyum says:
August 23, 2010 at 4:52 pm

Thanks for such a great post and the review, I am totally impressed! Keep stuff like this coming
vefk says:
March 17, 2011 at 6:31 pm

thank you very much….
medyumlar says:
April 16, 2011 at 12:04 pm

it’s a very interesting idea to launch facebook games, Lets start as Mr chowdhary said. Thanks for sharing…..

Trackbacks/Pingbacks

Twitter Trackbacks for Revealing Facebook Application XSS Holes | Social Hacking [theharmonyguy.com] on Topsy.com - [...] Revealing Facebook Application XSS Holes | Social Hacking theharmonyguy.com/2009/08/31/revealing-facebook-application-xss-holes – view page – cached #Social Hacking RSS ...

If anyone comes across one of the scam links for the Facebook "virus", please pass it on - I'd like to see how the self-XSS part works.
about 5 hours ago from web
YES!!! Thank you so much, Google! "With the verbatim tool on, we’ll use the literal words you entered" http://t.co/f4hZvy6w
about 6 hours ago from web
Link for the last tweet, which when appended at the end (without http://) would generate the error I mentioned: http://t.co/9sGaBRcS
08:17:08 PM November 11, 2011 from web
"Internet users routinely trust their security of information to 3rd parties...they give up a reasonable expectation of privacy"
08:16:31 PM November 11, 2011 from web
I keep getting "Your account may not be allowed to perform this action" when I try to post a certain tweet on privacy. (Cue conspiracies. :)
08:16:15 PM November 11, 2011 from web

Revealing Facebook Application XSS Holes

Trackbacks/Pingbacks

Leave a Reply

Further Updates from Twitter

Search Archives

Facebook Page

Content License

Post Archives