Revealing Facebook Application XSS Holes
Beginning tomorrow, September 1st, I will begin posting full technical details of cross-site scripting vulnerabilities that I have discovered in Facebook applications. Following the model of the Month of Twitter Bugs, I will notify each application developer 24 hours prior to revealing any holes. After 24 hours have passed, I will publish a new post on theharmonyguy.com with the title “FAXX Hack:” (for Facebook Application XSS/XSRF) and the name of the application. I will also publish a corresponding update to my Twitter account with the hashtag #FAXX and a link to the post. (Update (9/10): I appreciate the input from several people regarding timing, and I’ve changed my mind – I’ll wait for patches before posting holes. I certainly want to uphold ethical disclosures, and in hindsight the 24-hour rule probably wasn’t a good idea. My bad, and once again I’m grateful for other perspectives. I am rather new to all this.)
At this time, I have found five widely used Facebook applications vulnerable to XSS. I intend to look for more over the next few days, and I am open to submissions from others via theharmonyguy on Gmail. I will give full credit for any new holes submitted.
Once I have posted all known XSS vulnerabilities in Facebook applications, I plan on releasing the full source code of XSS/CSRF demos I have created which demonstrate the ways a hacker can exploit such problems.
Let the games begin.