New critical XSS on Facebook fixed in record time due to ethical disclosure

Written by Pierre Gardenat and DP

Wednesday, 25 February 2009

Security researcher Pierre Gardenat is preparing a paper for the SSTIC 09 ( - Rennes 3,4 and 5th June 2009) on the evolution of XSS threats; since wide social networks like Facebook can become powerful attack vectors, it was interesting to see if some of these networks were vulnerable to permanent XSS attacks, which would make XSS worm spreading possible. In december 2008, Pierre found that the caption field of article images was not properly sanitized, which allowed to inject nasty code in a profile wall.

He sent the vulnerability to Facebook and it was fixed in a few hours. Two days ago, another highly critical XSS vulnerability (fixed at this time of writing) allowed not only to spread a XSS worm on Facebook but also to take control of an infected profile from the very moment that a user connects to his profile. An attacker would find it very useful to make a user believe that he has submitted a wrong username or password and to force him to send his credentials to a server controlled by him.

The vulnerability was fixed around noon-1 PST on 24/02/2009 according to Facebook staff. A mirror of the fixed Facebook XSS will be posted here later today.

How does it work?

With the default settings, after you have created a group, all the people that have joined this group receive a notification when you change the group name; if you inject JavaScript code in the new name of the group, this script will be executed on every facebook page visited by a group member, since the notification module is part of the basic Facebook framework.

At the SSTIC 09, Pierre will disclose a few videos demonstrating possible exploitations of this flaw: stealing user credentials or other personal datas, spreading a XSS worm, scanning a network, using all the infected profiles to launch powerful attacks over the Internet, etc. He will also say that it is extremely difficult to produce a completely safe code in huge applications like Facebook and even if Facebook is vulnerable, its developpers do a very good job, using httponly cookies and virtualizing third party application code with fbjs for example.

The goal of his presentation will be to make people like developers and managers more aware of what could be a massive XSS attack... He will only present exploitation examples of fixed vulnerabilities, obviously!!! ;-)

Big thanks to Pierre for discovering this flaw and ethically reporting it to Facebook. Also thanks to Facebook staff for fixing it in record time! Well done! ;-)

Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.