wasc-whid@lists.webappsec.org

WASC Web Hacking Incidents Database

View all threads

WHID 2011-28: Mysterious 'Roy Castillo' haunts Facebook

WW
WASC Web Hacking Incidents Database
Thu, Jan 27, 2011 9:56 PM

WHID 2011-28: Mysterious 'Roy Castillo' haunts Facebook

Entry Title: WHID 2011-28: Mysterious 'Roy Castillo' haunts Facebook
WHID ID: 2011-28
Date Occurred: January 27, 2011
Attack Method: Cross Site Scripting (XSS)
Application Weakness: Improper Output Handling
Outcome: Spam
Attacked Entity Field: Web 2.0
Attacked Entity Geography:
Incident Description: He arrived on Wednesday, around the same time Facebook
CEO Mark Zuckerburg¹s Facebook fan page was hacked. Roy Castillo ‹ the ghost
"friend"with a man¹s name and a profile pic of a teenage girl wearing
sunglasses ‹ popped up in the Facebook newsfeeds with the curt status: "Off
to Danao City."
Facebook did not respond to Technolog¹s request for comment. But according
to French security site Zazak, the bug that opened the door for Roy
yesterday was reported, and slammed shut today.
Zazak reports that the hacker(s) behind Roy Castillo took advantage of a
cross site scripting vulnerability (XSS) that allows outsiders to add script
to Web pages.
Mass Attack: No
Reference:
http://technolog.msnbc.msn.com/_news/2011/01/27/5935542-mysterious-roy-casti
llo-haunts-facebook
Attack Source Geography:
Attacked System Technology: Facebook

WHID 2011-28: Mysterious 'Roy Castillo' haunts Facebook Entry Title: WHID 2011-28: Mysterious 'Roy Castillo' haunts Facebook WHID ID: 2011-28 Date Occurred: January 27, 2011 Attack Method: Cross Site Scripting (XSS) Application Weakness: Improper Output Handling Outcome: Spam Attacked Entity Field: Web 2.0 Attacked Entity Geography: Incident Description: He arrived on Wednesday, around the same time Facebook CEO Mark Zuckerburg¹s Facebook fan page was hacked. Roy Castillo ‹ the ghost "friend"with a man¹s name and a profile pic of a teenage girl wearing sunglasses ‹ popped up in the Facebook newsfeeds with the curt status: "Off to Danao City." Facebook did not respond to Technolog¹s request for comment. But according to French security site Zazak, the bug that opened the door for Roy yesterday was reported, and slammed shut today. Zazak reports that the hacker(s) behind Roy Castillo took advantage of a cross site scripting vulnerability (XSS) that allows outsiders to add script to Web pages. Mass Attack: No Reference: http://technolog.msnbc.msn.com/_news/2011/01/27/5935542-mysterious-roy-casti llo-haunts-facebook Attack Source Geography: Attacked System Technology: Facebook