May 04, 2011
Here we will discuss about
Facebook XSS again, the last
XSS method using iPhone prompt_feed.php has been filtered, they have patched the system, but not all the hole, they still left us chance to put another XSS onClick using the same app.
You can still insert the XSS via iPhone app, via Android, via BlackBerry, via Facebook Exporter for iPhoto, via Facebook Toolbar for Firefox or via Windows Phone and perhaps some other apps. The instruction is similar to the previous method on iPhone XSS, but with a little change. Kindly follow these instruction to get your own facebook layout : Read more…
March 28, 2011
Posted by: Joy : Category:
Facebook Tips,
Vulnerability
What has happened out there really pushes me to share this out. I call this an
Autopost Spamming using Facebook Mobile XSS. I dont care anymore if this one will be filtered, the faster they fix it, the better. People dont seem to care how hard i tried to hide this code from facebook team. frankly, i also use this to post spam with link to this blog, but it only affects indonesian ip + with a custom interval. So people outside indonesia wont be able to see this. Too bad it’s now spread like a worm everywhere wide open without any
source code protection.
Nevermind, it’s no use to complain about what has happened anyway. Let’s talk about this in details. This is about how to make an autopost status update to people’s facebook profile. This method uses XSS vulnerability of prompt_feed.php from m.facebook.com. When people see our page with this evil code, they will automatically post a status update with any message we want.
Below is the iframe HTML source code :
Read more…
March 26, 2011
Posted by: Joy : Category:
Facebook Tips,
Vulnerability
Facebook XSS again. This time is activated onClick via
Facebook iPhone application. I decided to reveal this to public, as one of our friends has found this accidentally and many have also posted it publicly on their wall. sooner or later they will find out then patch this vulnerability again anyway. This
XSS vulnerability was actually found back on the year 2009. I used this before using the old “profile box” to load
XSS on my profile. I didnt use this at that time as it’s actually
activated onClick, meaning that the script will load on users click, not autorun.
This time we will post the XSS vector via iPhone apps. OK, if you want to see real facebook layout on your own profile, without any addon, please follow these steps carefully :
Read more…
January 08, 2011
Posted by: Joy : Category:
Security,
Vulnerability
It seem’s
Google Bangladesh suffered from a DNS Hijack today, January 8, 2011, showing a weird hipster page playing a hiphop song, claiming that
Google Bangladesh got “OwN3D by TiGER-M@TE. Visitors of the company’s Bangladesh search site (
Google.com.bd) see a defaced landing page rather than the usual search site. It was a DNS Hijack, Mr. “TiGER-M@TE” successfully hijacked the DNS records for google.com.bd and redirect it to “172.233.68.2″, which when visited says site doesn’t exist but oh well..
Below is the screenshot for the defacement page :
Read more…
