This morning I discovered a cross-site scripting vulnerability on a facebook.com page. The hole allows a hacker to execute scripts within the page and harvest a user’s post_form_id. That means an attacker could access the user’s profile and feed information, edit their profile information, change their status, send messages to their friends, post on their friends’ walls, authorize applications, authorize extended permissions for applications, and otherwise wreak havoc.
I have reported this problem to Facebook and expect them to respond quickly. Obviously, I intend to withhold details of the hack until Facebook issues a patch.
I would also note that while you might find this story of great interest, I personally think it pales in comparison to ongoing problems with the Facebook Platform. While this type of vulnerability is serious, Facebook normally acts swiftly in removing such a hole due to the readily apparent threat. Yet if nearly any Facebook application contains a similar hole, that allows a hacker to execute scripts, access profile information, issue notifications, post feed stories, and otherwise wreak havoc.
In the last few months, I have uncovered such holes in seven applications, three of which currently have monthly active users numbering in the tens of millions. Of course, an attacker can often reach users who have not already authorized an application using a trick known as clickjacking. I have written at length on how these attacks work, and have even demonstrated them several times.
Such hacks are not simply problems with Facebook applications – the current structure of the Facebook Platform itself enables the attacks. I am quite pleased that Facebook is today announcing new privacy controls which address at least one of the problems I outlined. I can only hope they continue to address remaining issues, and that malicious hackers do not launch any serious exploits in the mean time.
Update (8/29): Patched. Details later.
Update 2 (8/29): Technical details now available.
Share with your friends!