White paper on Facebook XSS

Written by DP

Saturday, 4 August 2007

Adrienne Felt is a student of University of Virginia's School of Engineering, double majoring in computer science (B.S.) and mathematics. She is "currently examining the Facebook  Platform as a case study on the security of mashups", and recently discovered a serious XSS vulnerability affecting the popular social networking website.

Quoting from her e-mail about the Facebook XSS issue: "It  allows someone to add executable code to a profile (thereby compromising anyone who views the profile).  Since Facebook uses a  single "secret" form ID for all forms on the site, the exploit opens  up the entire site. The fun part is that the code could propagate by calling a form to install itself to the user's profile.

I wrote up a detailed step-by-step paper on how to exploit such a vulnerability (However, it does not include the exact location of  the XSS hole).  The paper is located at  There's also a shorter writeup and a demo available at"

The white paper is titled "Defacing Facebook: A Security Case Study", and is a very interesting read.

Facebook has been XSSed a few times in the past, but promptly fixed the vulns:

Thank you Adrienne for letting us know! ;)

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.