I’d previously stated that I was confident I could relaunch my Facebook hack using an FBML application, but that I hadn’t worked out all the details. Today, I successfully used an XSS hole in an FBML application to access profile information, just as I had done with canvas applications before. I did so using an XSS vulnerability publicly published almost four months ago.
The particular application used this time always forwards new installs to the same URI, preventing me from using a clickjacking install to fully relaunch the attack page (though an added refresh may do the trick). But it definitely proves the point that nearly any application with an XSS hole is vulnerable to this type of attack, including FBML applications.
For those who did not get to experience the hack when it was live, I’m including a screenshot of the results page for a fake Facebook profile.
Share with your friends!