[WASC-WHID] WHID 2011-58: Facebook XSS flaw misused for automatic Wall posting

WASC Web Hacking Incidents Database wasc-whid at lists.webappsec.org
Mon Apr 25 09:11:52 EDT 2011

*Entry Title: *WHID 2011-58: Facebook XSS flaw misused for automatic Wall
*WHID ID: *2011-58
*Date Occurred: *March 29, 2011
*Attack Method: *Cross Site Request Forgery (CSRF)
*Application Weakness: *Insufficient Process Validation
*Outcome: *Disinformation
*Attacked Entity Field: *Web 2.0
*Attacked Entity Geography: *USA
*Incident Description: *A currently unpatched XSS vulnerability in the
mobile API version of Facebook is currently being exploited to post messages
to users' Walls, which serve as a gateway to the specially crafted website
exploiting the flaw.
The flaw has been misused for a while now, but has only recently been used
widely. Indonesian users are currently targeted by various groups using the
vulnerability to their advantage.
"It allows any website to include, for example, a maliciously prepared
iframe element that contains JavaScript or use the http-equiv attribute’s
“refresh” value to redirect the browser to the prepared URL containing the
JavaScript," explains Symantec. "Any user who is logged into Facebook and
visits a site that contains such an element will automatically post an
arbitrary message to his or her wall."
*Mass Attack: *No
*Reference: *http://www.net-security.org/secworld.php?id=10814
*Attack Source Geography: *
*Attacked System Technology: *Facebook
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/wasc-whid_lists.webappsec.org/attachments/20110425/295ce43f/attachment-0003.html>

More information about the wasc-whid mailing list