CrazyDavinci's Blog | Social Networking, Programming, Security , Web Development

---

As you might already know, on Facebook, we can insert some certain media attachment like image, video/flash or mp3 audio through our own application. The attachment is an array of structured data that defines the post. To understand how to post what kind of attachment we would like to post, we need to understand about Facebook Stream Attachments. You can read more about the detail on their page. Here, we are discussing the issue on one of its parameters named “name”.

You can use this Stream Attachments through :

• Facebook.streamPublish
• Facebook Feed Dialog, or
• Facebook Prompt Feed

As i said above before, here we’re gonna try to use the ‘name’ parameter on the attachment to add an FBML Injection to our post. This trick found by some of our brothers and sisters on balikita, inspired by a tag button then Roy Castillo use fb:lives-tream, then tweaked more by some other forum members. Let’s assume that you have already known about how to insert the attachment, you can insert some FBML codes inside the parameter like :
Read more…

---

Here we will discuss about Facebook XSS again, the last XSS method using iPhone prompt_feed.php has been filtered, they have patched the system, but not all the hole, they still left us chance to put another XSS onClick using the same app.

You can still insert the XSS via iPhone app, via Android, via BlackBerry, via Facebook Exporter for iPhoto, via Facebook Toolbar for Firefox or via Windows Phone and perhaps some other apps. The instruction is similar to the previous method on iPhone XSS, but with a little change. Kindly follow these instruction to get your own facebook layout : Read more…

---

Through this post, i’d like to say sorry to anyone who are victims of the autopost spamming code on facebook. It wasnt fully me who did all the spamming activities. But i accept that i’m also guilty of it, i’m part of it and i feel so sorry. I’ve been doing this since around march 20-21. I was using http://bit.ly/hRqjAW to shorten the url at that time, until it’s blocked for suspicious activity. Now, they will give a warning message before people can see the real url. Last time i used http://y.ahoo.it/gajeBA but i have already removed the autopost code inside.

Let me tell you the chronology how the code could spread everywhere like now. It was first used by be me only for promoting this blog, getting more traffics, just for fun indeed. You can see this image, it shows how the alexa rank increased rapidly in 1-2 days
Read more…

---

What has happened out there really pushes me to share this out. I call this an Autopost Spamming using Facebook Mobile XSS. I dont care anymore if this one will be filtered, the faster they fix it, the better. People dont seem to care how hard i tried to hide this code from facebook team. frankly, i also use this to post spam with link to this blog, but it only affects indonesian ip + with a custom interval. So people outside indonesia wont be able to see this. Too bad it’s now spread like a worm everywhere wide open without any source code protection.

Nevermind, it’s no use to complain about what has happened anyway. Let’s talk about this in details. This is about how to make an autopost status update to people’s facebook profile. This method uses XSS vulnerability of prompt_feed.php from m.facebook.com. When people see our page with this evil code, they will automatically post a status update with any message we want.

Below is the iframe HTML source code :
Read more…