Critical Facebook XSS bugs could be used to hijack accounts

Written by DP

Friday, 3 September 2010

We suggest that you read a late July 2010 post by Robert Abela from Acunetix, regarding a discovered XSS on Facebook which could lead to account hijacks:
Acunetix team have produced a high quality video demonstrating the vulnerability:



Furthermore, you should read their detailed technical explanation of the issue, describing the impact that cross-site scripting vulnerabilities could have on social networking sites.
The vulnerability is now fixed according to Acunetix:
"We notified Facebook about this instance of cross-site scripting vulnerability and would like to thank the Facebook Security Team for quickly fixing this security hole."
During the same period, another critical Facebook XSS also came to light... It was submitted to our archive by web security researcher nicknamed "AKABEY" and still appears to be working. Malicious users can exploit it to hijack the accounts of  hundreds of millions of unwitting Facebook users and to infect them with malware, spyware and adware. (this is the original submitted by AKABEY)
Screenshot #1:
Just to make sure it is really working, I tried it myself...
Screenshot #2:
Screenshot #3:
We are sure that Facebook security team will quickly remediate the working critical XSS flaw!

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.