I can’t emphasize this enough: As the Facebook Platform is currently setup, nearly any XSS vulnerability in an application allows my hack from last month (I may need a name for this thing soon) to succeed.
Tonight, after two hours of poking around various applications, I once again successfully used my hack to access profile information via an XSS hole in an FBML application. This particular application has over 10 million monthly active users. It also luckily prevents a clickjacking install, but with such wide reach, a relaunch of the hack would affect many users anyway.
If any technology news site wants a great story on the security of the Facebook Platform, please get in touch – I simply want to get the word out on this issue to raise user awareness.
Share with your friends!