Facebook Verified Application
Current Monthly Active Users: 5,024,914
Current Rank on Application Leaderboard: 30
Application Developer: Familybuilder
Responsiveness: Familybuilder responded quickly, patched all the issues within a day or two, and sent updates on their progress.
Vulnerability Status: Patched
Capable of Clickjacking Install: Uncertain
- If a person wrote a comment on a user’s Family Feed containing FBML, that code would then be rendered when the feed was loaded, e.g. <fb:iframe src=’http://google.com/‘>.
- If a user included FBML in sections of his/her Facebook profile information, this would be rendered when someone viewed the “Info” tab of the user’s Family Tree profile.
- If a user inserted an FBML iframe that then referenced the direct URI of their Family Tree profile, this would in turn load malicious scripts embedded in the Family Tree page. For example, inserting <fb:iframe src=”http://fb.apps.familybuilder.com/newfamilytree/scripts/profileInfo.php?profileid=PROFILENUM“> and <script>alert(document.cookie);</script> in a user’s Facebook profile, with the correct Family Tree profile number filled in, would have displayed the cookies on loading the “Info” tab.
Notes: This is an example of a persistent XSS hole – a bug I had not been looking for, but after Tom Eston found one in another application (to be posted later this week), I began keeping an eye out for them.
Share with your friends!