Webhacking and Security

[19/03/10] XSS on Facebook

Today, we discovered a Cross Site Scripting, available since one of the last updates on the community website ‘facebook.com’.
It appears at the view of a name we search via the AJAX search function of Facebook.
There is a Proof of Concept:

Join this group:
http://www.facebook.com/group.php?gid=111123275568518
Then go and search it (with a keyword like “ss”, “gif” or “PoC”) at the upper part of the page. Let AJAX find the group for you.
There it is.

Seraphic Squad

We actually didn’t go further, but it seems to affect only the AJAX part of the search function.

Cordially,
Seraphic Squad.

PS: We had contacted Facebook but still didn’t got any answer.

EDIT [22/03]: Someone seems to have reported it on Zataz http://www.zataz.com/news/20037/facebook–oday–exploit.html

EDIT2: Flaw isn’t here anymore, good job fb😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s