Revealing Facebook Application XSS Holes

Beginning tomorrow, September 1st, I will begin posting full technical details of cross-site scripting vulnerabilities that I have discovered in Facebook applications. Following the model of the Month of Twitter Bugs, I will notify each application developer 24 hours prior to revealing any holes. After 24 hours have passed, I will publish a new post on with the title “FAXX Hack:” (for Facebook Application XSS/XSRF) and the name of the application. I will also publish a corresponding update to my Twitter account with the hashtag #FAXX and a link to the post.

At this time, I have found five widely used Facebook applications vulnerable to XSS. I intend to look for more over the next few days, and I am open to submissions from others via theharmonyguy on Gmail. I will give full credit for any new holes submitted.

Once I have posted all known XSS vulnerabilities in Facebook applications, I plan on releasing the full source code of XSS/CSRF demos I have created which demonstrate the ways a hacker can exploit such problems.

Let the games begin.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

Share with your friends!
  • Facebook
  • Twitter
  • Google Plus
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Comments are closed.