- The Facebook once again failed to protect from a simple XSS flaw, this time on their mobile site redirect script. It looks as their mobile site needs some attention - it was already exploited a few weeks ago. Come on, how many of these are still hiding in the FB code? This is basic stuff!
Disclosure after disclosure, XSS PoC are getting more advanced - and it's good, because the effect of XSS flaws on sites are devastating and we need to capture the attention of the common users. This time the story is simple for them - once you click on a webpage, you lose your Facebook online credibility, just because there was a XSS flaw on a single page. And the flaw was active for months!
- Take a look at the code of the exploit for the CSRF flaw (1st video) - it's really an easy way of performing automatic multi-step exploitation. The script for harvesting FB data is also interesting (the source for it has not been revealed).
- I still cannot believe that Facebook allowed for changing user's e-mail address without asking for his password first. It really is a fundamental flaw. Shame on you, FB.
I'm really looking forward to what @johnjean might come up with in the future.