FAXX Hack: Family Tree

Facebook Verified Application

Current Monthly Active Users: 5,024,914

Current Rank on Application Leaderboard: 30

Application Developer: Familybuilder

Responsiveness: Familybuilder responded quickly, patched all the issues within a day or two, and sent updates on their progress.

Vulnerability Status: Patched

Capable of Clickjacking Install: Uncertain

Technical Details:

1. If a person wrote a comment on a user’s Family Feed containing FBML, that code would then be rendered when the feed was loaded, e.g. <fb:iframe src=’http://google.com/‘>.
2. If a user included FBML in sections of his/her Facebook profile information, this would be rendered when someone viewed the “Info” tab of the user’s Family Tree profile.
3. If a user inserted an FBML iframe that then referenced the direct URI of their Family Tree profile, this would in turn load malicious scripts embedded in the Family Tree page.  For example, inserting <fb:iframe src=”http://fb.apps.familybuilder.com/newfamilytree/scripts/profileInfo.php?profileid=PROFILENUM“> and <script>alert(document.cookie);</script> in a user’s Facebook profile, with the correct Family Tree profile number filled in, would have displayed the cookies on loading the “Info” tab.

Notes: This is an example of a persistent XSS hole – a bug I had not been looking for, but after Tom Eston found one in another application (to be posted later this week), I began keeping an eye out for them.