Full Disclosure mailing list archives

Re: [FULL DISCLOSURE] Facebook Non Persistant XSS

From: "Chris Evans" <scarybeasts () gmail com>
Date: Wed, 10 Dec 2008 16:21:24 -0800

On Tue, Dec 9, 2008 at 2:41 PM, Facebook IsBuggy
<facebookxss () googlemail com> wrote:

Found in August, I tried to alert facebook as quickly as was possible
- however I received no further correspondence to my communications.
At time of writing, it was possible to exploit both Firefox 3 and IE 7
- by simply using an IFRAME or even an object tag. (Dependant on the
browser target)

This allows you to overwrite the whole page with your choice of script/embed.


Although the domain is 2.channel15.facebook.com, all the significant
Facebook cookies appear to be .facebook.com domain cookies so wouldn't
the more significant attack involve those, rather than some elaborate
phishing scheme?


Vulnerability was found by accident when I was routing my web traffic
via WebScarab with an advanced list of strings to use with the
in-built XSS/CSRF tool.

----------------

http://2.channel15.facebook.com/iframe/7/?pv=49&rev=";></script><title>Google</title></head></body><IFRAME
src="http://www.google.com/"; type="text/html" width="100%"
height="100%"></IFRAME>

Naturally that rather obvious URL could be encoded, or cut down to
prevent the obvious anomaly. However, I feel the facebook domain name
itself would be enough to fool most users.


This is not a significant aspect of this vulnerability.
You could go and register http://www.facebook-secure.com/ (or similar)
and that would leave users more than happy to believe & trust it is
Facebook.
Things can be different if the XSS is on an https-supporting login
domain, but that does not seem to be the case here.

Cheers
Chris


http://2.channel15.facebook.com/iframe/7/?pv=49&rev=%22%3E%3C/script%3E%3Ctitle%3EGoogle%3C/title%3E%3C/head%3E%3C/body%3E%3CIFRAME%20src%3D%22http%3A//www.google.com/%22%20type%3D%22text/html%22%20width%3D%22100%25%22%20height%3D%22100%25%22%3E%3C/IFRAME%3E

----------------

*Similar vulnerabilities had been spoken about on a credit card fraud
(carding) forum prior to my discovery of this. Possibly for the use of
phisihing.*

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

[FULL DISCLOSURE] Facebook Non Persistant XSS Facebook IsBuggy (Dec 10)
- Re: [FULL DISCLOSURE] Facebook Non Persistant XSS Chris Evans (Dec 10)