Today, we discovered a Cross Site Scripting, available since one of the last updates on the community website ‘facebook.com’.
It appears at the view of a name we search via the AJAX search function of Facebook.
There is a Proof of Concept:
Join this group:
Then go and search it (with a keyword like “ss”, “gif” or “PoC”) at the upper part of the page. Let AJAX find the group for you.
There it is.
We actually didn’t go further, but it seems to affect only the AJAX part of the search function.
PS: We had contacted Facebook but still didn’t got any answer.
EDIT [22/03]: Someone seems to have reported it on Zataz http://www.zataz.com/news/20037/facebook–oday–exploit.html
EDIT2: Flaw isn’t here anymore, good job fb 😉