Full Disclosure mailing list archives
Re: [FULL DISCLOSURE] Facebook Non Persistant XSS
From: "Chris Evans" <scarybeasts () gmail com>
Date: Wed, 10 Dec 2008 16:21:24 -0800
On Tue, Dec 9, 2008 at 2:41 PM, Facebook IsBuggy <facebookxss () googlemail com> wrote:
Found in August, I tried to alert facebook as quickly as was possible - however I received no further correspondence to my communications. At time of writing, it was possible to exploit both Firefox 3 and IE 7 - by simply using an IFRAME or even an object tag. (Dependant on the browser target) This allows you to overwrite the whole page with your choice of script/embed.
Although the domain is 2.channel15.facebook.com, all the significant Facebook cookies appear to be .facebook.com domain cookies so wouldn't the more significant attack involve those, rather than some elaborate phishing scheme?
Vulnerability was found by accident when I was routing my web traffic via WebScarab with an advanced list of strings to use with the in-built XSS/CSRF tool. ---------------- http://2.channel15.facebook.com/iframe/7/?pv=49&rev="></script><title>Google</title></head></body><IFRAME src="http://www.google.com/" type="text/html" width="100%" height="100%"></IFRAME> Naturally that rather obvious URL could be encoded, or cut down to prevent the obvious anomaly. However, I feel the facebook domain name itself would be enough to fool most users.
This is not a significant aspect of this vulnerability. You could go and register http://www.facebook-secure.com/ (or similar) and that would leave users more than happy to believe & trust it is Facebook. Things can be different if the XSS is on an https-supporting login domain, but that does not seem to be the case here. Cheers Chris
http://2.channel15.facebook.com/iframe/7/?pv=49&rev=%22%3E%3C/script%3E%3Ctitle%3EGoogle%3C/title%3E%3C/head%3E%3C/body%3E%3CIFRAME%20src%3D%22http%3A//www.google.com/%22%20type%3D%22text/html%22%20width%3D%22100%25%22%20height%3D%22100%25%22%3E%3C/IFRAME%3E ---------------- *Similar vulnerabilities had been spoken about on a credit card fraud (carding) forum prior to my discovery of this. Possibly for the use of phisihing.* _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [FULL DISCLOSURE] Facebook Non Persistant XSS Facebook IsBuggy (Dec 10)
- Re: [FULL DISCLOSURE] Facebook Non Persistant XSS Chris Evans (Dec 10)