Webhacking and Security

Cross-site Scripting (XSS)

[19/03/10] XSS on Facebook

Today, we discovered a Cross Site Scripting, available since one of the last updates on the community website ‘facebook.com’.
It appears at the view of a name we search via the AJAX search function of Facebook.
There is a Proof of Concept:

Join this group:
Then go and search it (with a keyword like “ss”, “gif” or “PoC”) at the upper part of the page. Let AJAX find the group for you.
There it is.

Seraphic Squad

We actually didn’t go further, but it seems to affect only the AJAX part of the search function.

Seraphic Squad.

PS: We had contacted Facebook but still didn’t got any answer.

EDIT [22/03]: Someone seems to have reported it on Zataz http://www.zataz.com/news/20037/facebook–oday–exploit.html

EDIT2: Flaw isn’t here anymore, good job fb 😉