FAXX Hack Break: More Facebook XSS

Today I’m going to take a break from posting application holes, though not due to lack of material. I have several vulnerabilities ready to post, but I’m giving developers time to ensure their applications are secure. A few requests forced me to adjust my schedule, so I’ll make up for today’s omission in the future.

In the mean time, I thought I would share another Facebook bug that security researcher Pierre Gardenat sent to me. Full credit for this bug goes to Gardenat.

Earlier this year, he published a paper (PDF, French) on XSS vulnerabilities within Facebook itself. As his paper notes, Facebook did issue fixes, but only at the presentation layer. Facebook apparently did not take steps to identify harmful code already stored in their databases, or provide filters to avoid more code from being inserted.

Consequently, another attack vector surfaced when another facet of the presentation layer remained unpatched. First, a user could enter script tags with code in the screen name field of their profile’s contact information. Visiting Facebook in a desktop browser would not load the script, as presentation layer filters prevented it from being rendered as script. However, the mobile version of Facebook at m.facebook.com did not have such protections, and the script would execute fine.

This is an example of a persistent XSS hole, as opposed to the reflected XSS holes I’ve been posting so far. The attack code is stored within the application and loaded whenever a user visits a page that loads the code. In some ways this type of attack is more powerful than a standard reflected XSS attack.

Facebook has, of course, patched the mobile site now. But understanding the layers involved in dealing with XSS holes is an important lesson. And it’s one Facebook applications should not ignore, since they too can become susceptible to persistent XSS holes. In fact, two applications (one a Facebook Verified Application) vulnerable in this way have already been discovered, and I plan on posting details of the problems later this week as FAXX hacks.

No Comments

Trackbacks/Pingbacks

Tweets that mention FAXX Hack Break: More Facebook XSS | Social Hacking -- Topsy.com - [...] This post was mentioned on Twitter by theharmonyguy, SocialMediaSecurity and CFSecurityGeek. CFSecurityGeek said: Another FB Security re-post: http://bit.ly/3IKwdJ [...]

Interesting. Not sure what I think of this yet, but food for thought. RT @krvw Where's the Steve Jobs of IT security? http://t.co/ZQyhLjfB
about 3 hours ago from web
Yay, Twitter works smoothly in Chrome 16 again! Updated to 16.0.912.0.
about 3 hours ago from web
I give Jotly an A+... http://t.co/isk2GHTL "Your life is exciting and worth sharing... Everyone cares about everything you do."
about 12 hours ago from web
"It's not 'who you share with,' it's 'who you share as'..." Chris Poole on identity: http://t.co/MfxrYppo (via @benadida)
about 16 hours ago from web
New favorite site: http://t.co/q2yl2MmH Free commercial-use fonts that are actually good quality. (Not an ad, I'm a font geek.) HT @LeaVerou
04:01:09 PM October 17, 2011 from web

FAXX Hack Break: More Facebook XSS

Trackbacks/Pingbacks

Leave a Reply

Further Updates from Twitter

Search Archives

Facebook Page

Content License

Post Archives