Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Chris Evans (scarybeastsgmail.com)
Date: Wed Dec 10 2008 - 18:21:24 CST
On Tue, Dec 9, 2008 at 2:41 PM, Facebook IsBuggy
> Found in August, I tried to alert facebook as quickly as was possible
> - however I received no further correspondence to my communications.
> At time of writing, it was possible to exploit both Firefox 3 and IE 7
> - by simply using an IFRAME or even an object tag. (Dependant on the
> browser target)
> This allows you to overwrite the whole page with your choice of script/embed.
Although the domain is 2.channel15.facebook.com, all the significant
Facebook cookies appear to be .facebook.com domain cookies so wouldn't
the more significant attack involve those, rather than some elaborate
> Vulnerability was found by accident when I was routing my web traffic
> via WebScarab with an advanced list of strings to use with the
> in-built XSS/CSRF tool.
> src="http://www.google.com/" type="text/html" width="100%"
> Naturally that rather obvious URL could be encoded, or cut down to
> prevent the obvious anomaly. However, I feel the facebook domain name
> itself would be enough to fool most users.
This is not a significant aspect of this vulnerability.
You could go and register http://www.facebook-secure.com/ (or similar)
and that would leave users more than happy to believe & trust it is
Things can be different if the XSS is on an https-supporting login
domain, but that does not seem to be the case here.
> *Similar vulnerabilities had been spoken about on a credit card fraud
> (carding) forum prior to my discovery of this. Possibly for the use of
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/