XSS On Facebook
Status : Active, Partially Patched (> March 2010)
As the slogan of this blog says there’s always a crack in everything, that’s how the light gets in, yes, it’s true, even on Facebook, there’re some holes left. The secret is left behind their application module. Around last November, 2009, holes for tweaking facebook found when i was looking for bugs, and the XSS was firstly only for IE + old Fx browser only.
Screenshot :
After sometime, a bug is also found in the wall (clickjacking) XSS is loaded with the click (this is more risky because it appeared in the feed all the friends / home.php). At present apart from the wall, there’re around 7 XSS variation found in facebook that have not been patched (3 For IE & old Fx Only and 4 crossbrowsers) and probably many more. At first it was only used for changing content sidebar, without external scripting, and the code is really personal and not intended be shared, why? notice the address of facebook profile : http://www.facebook.com/blahblah this may allow event load on profile to access information on main domain, quite risky. Too much malicious coder around us.
To facebook users, be careful with the existence of these security holes, this shows us that anyone can do more when you visit the profile, frankly I only use it for a small modification of the layout of my profile, nothing more. To friends, coder or any who will find or may have found the same bug, please keep silent. Facebook is very comfortable even without XSS for page tweaking, hope it will still be like that.
Media-Box
March 21st, 2010 at 3:52 am
hello crazy davinci
pinoy ka baH??
pde magpa add sa YM.. rexus351@yahoo.com
and also really really good job on the facebook wall xss
hail to you… Do you have a contact information??
March 22nd, 2010 at 8:23 am
Yeah you’re right Mr.Joy that Facebook is very comfortable even without XSS for page tweaking, but i still angry when have a friend keep bullying at me so I want to hack them, but i don’t have any knowledge in finding XSS on Facebook
March 30th, 2010 at 12:42 am
#rex
i rarely ol on ym right now, kindly use contact form on this blog to contact me
#soni
you can always report people for bullying, a clear screenshot would give it a better shot for facebook developer to take action on his account
April 19th, 2010 at 6:51 am
gimana nambahan js ke fb ???
agar bisa muncul sebuah pesan ketika seseorang mengunjungi profile kita…
May 28th, 2010 at 9:56 am
wazzup dude.. nice work.. please share me your script about Visitor Info , i know javascript.. to make layout.. thanks.
June 2nd, 2010 at 9:37 am
salut atas kreativitas bro davinci:
ada linker bwt facebook ? seperti yang di fs dulu, bro facebook nya kok default, tidak seperti di screen shoot ? test page ?
June 24th, 2010 at 6:53 pm
mantab boz…Like This
July 24th, 2010 at 3:56 am
This is certainly one of the most remarkable blogs I have seen. It’s so easy to tune out, but there is really some first-rate information online, and I think your place is one of the few!