Aug. 31, 2009

Posted by in Facebook, FAXX Hacks | 8 comments

Revealing Facebook Application XSS Holes

Beginning tomorrow, September 1st, I will begin posting full technical details of cross-site scripting vulnerabilities that I have discovered in Facebook applications. Following the model of the Month of Twitter Bugs, I will notify each application developer 24 hours prior to revealing any holes. After 24 hours have passed, I will publish a new post on theharmonyguy.com with the title “FAXX Hack:” (for Facebook Application XSS/XSRF) and the name of the application. I will also publish a corresponding update to my Twitter account with the hashtag #FAXX and a link to the post. (Update (9/10): I appreciate the input from several people regarding timing, and I’ve changed my mind – I’ll wait for patches before posting holes. I certainly want to uphold ethical disclosures, and in hindsight the 24-hour rule probably wasn’t a good idea. My bad, and once again I’m grateful for other perspectives. I am rather new to all this.)

At this time, I have found five widely used Facebook applications vulnerable to XSS. I intend to look for more over the next few days, and I am open to submissions from others via theharmonyguy on Gmail. I will give full credit for any new holes submitted.

Once I have posted all known XSS vulnerabilities in Facebook applications, I plan on releasing the full source code of XSS/CSRF demos I have created which demonstrate the ways a hacker can exploit such problems.

Let the games begin.

  1. it’s a very interesting idea to launch facebook games, Lets start as Mr chowdhary said. Thanks for sharing.

  2. Thank you to share!

  3. I found your blog on google and read a few of your other posts. I just added you to my Google News Reader. Keep up the fantastic work Look forward to reading more from you in the future.

  4. I found your blog on google and read a few of your other posts. I just added you to my Google News Reader. Keep up the fantastic work Look forward to reading more from you in the future.

  5. Thanks for such a great post and the review, I am totally impressed! Keep stuff like this coming

  6. thank you very much….

  7. it’s a very interesting idea to launch facebook games, Lets start as Mr chowdhary said. Thanks for sharing…..

Trackbacks/Pingbacks

  1. Twitter Trackbacks for Revealing Facebook Application XSS Holes | Social Hacking [theharmonyguy.com] on Topsy.com - [...] Revealing Facebook Application XSS Holes | Social Hacking theharmonyguy.com/2009/08/31/revealing-facebook-application-xss-holes – view page – cached #Social Hacking RSS ...

Leave a Reply