XSS On Facebook
Status : Active, Partially Patched (> March 2010)
As the slogan of this blog says there’s always a crack in everything, that’s how the light gets in, yes, it’s true, even on Facebook, there’re some holes left. The secret is left behind their application module. Around last November, 2009, holes for tweaking facebook found when i was looking for bugs, and the XSS was firstly only for IE + old Fx browser only.
Screenshot :
After sometime, a bug is also found in the wall (clickjacking) XSS is loaded with the click (this is more risky because it appeared in the feed all the friends / home.php). At present apart from the wall, there’re around 7 XSS variation found in facebook that have not been patched (3 For IE & old Fx Only and 4 crossbrowsers) and probably many more. At first it was only used for changing content sidebar, without external scripting, and the code is really personal and not intended be shared, why? notice the address of facebook profile : http://www.facebook.com/blahblah this may allow event load on profile to access information on main domain, quite risky. Too much malicious coder around us.
To facebook users, be careful with the existence of these security holes, this shows us that anyone can do more when you visit the profile, frankly I only use it for a small modification of the layout of my profile, nothing more. To friends, coder or any who will find or may have found the same bug, please keep silent. Facebook is very comfortable even without XSS for page tweaking, hope it will still be like that.
Media-Box
October 22nd, 2010 at 1:36 am
hwedeehhhhh….ajarin napa joy…yayayaya…
send message fb apa via ym nurut dach…hiks,,,:(
October 31st, 2010 at 4:41 am
@div
udah ga bisa div
cm profile2 lama yg ga diupdate privacynya yg msh bs getoh