Remember that Facebook hack I posted a few days ago that exploited an XSS hole in SuperPoke to harvest users’ profile information? I mentioned in my follow-up posts that the hack was not specific to SuperPoke and could be adapted to an XSS hole in another application.
Such as FunSpace.
This application, formerly known as FunWall, has over 11.4 million monthly active users, and, according to a recent review by Inside Facebook, is the most active application on Facebook in terms of daily active users. That means that an attacker has a high probability of success without resorting to a clickjacking authorization. FunSpace is also a Facebook Verified Application.
And it does, in fact, have an XSS hole. How long did it take me to find the hole? Less than an hour.
All of this means that right this second, if I so desired, I could replace one file at theharmonyguy.com and previous links to the attack page would once again work. Visiting the attack page would again forward you to a page with nearly all of your profile data displayed. I’ve already put together the updated version of the attack.
I say this to illustrate that the four privacy problems I originally posted a few days ago are still very much problems, and that this type of attack can continue as long as Facebook does not respond to them. I originally exploited SuperPoke, now I can exploit FunSpace, tomorrow I can possibly exploit another popular application. But playing whack-a-mole with application bugs will not solve anything.
Finally, I’d like to hear your feedback on whether I should update the attack page and make it live again. It’s not one easily illustrated by screenshots, since the results page is full of personal data.
Update: Considering the success of this hack, I’ve started going through AllFacebook’s list of top Facebook applications by monthly active users and hunting for XSS holes in each. I quickly found a means of FBML injection in Causes, which is second on the leaderboard and another Facebook Verified Application. Launching an FBML-based attack is proving to be more complicated, but still appears to be possible. In fact, even embedding external scripts with access to the user’s session secret is not as difficult as you might think.
Update 2: Decided to check Bumper Sticker (nearly 5 million MAU) about 10 minutes ago, and quickly found an FBML injection hole.
Update 3 (6/26): Earlier today I posted the new attack code, and within about three hours, FunSpace patched the hole. I haven’t found another XSS hole in an HTML-based Facebook application, and haven’t yet worked out the details of an FBML-based attack, but I’m confident the hack could still be relaunched. People need to understand that nearly any application XSS vulnerability will enable this type of attack.
Share with your friends!