Minor Changes to the Month of Facebook Bugs

For the second half of the FAXX Hacks series, I will be making two changes. First, I will no longer indicate whether a vulnerability is also susceptible to clickjacking installs. This project has taken a good deal of volunteered time, and I’ve already shown that over half of the first 15 vulnerabilities could be used with clickjacking.

Second, the example URIs for the next 15 applications will simply demonstrate inserting an fb:iframe tag. Working out the details of the full double-injection trick I’ve previously demonstrated usually takes considerably more time than checking for clickjacking, and thus far has nearly always been possible. When I release demonstration attack code in October, I also plan on giving a more thorough explanation of the double-injection technique.

Thanks for reading and I hope you enjoy the rest of the series – if you think the first half exhausted all the applications with large userbases, think again.