Tuesday, October 5, 2010

Serious security flaws in Facebook revealed today

Today some XSS & CSRF vulnerabilites in Facebook discovered by John Jean have been reported. These are already patched, so it's just educational material, but it's extremely interesting nonetheless. This disclosure touches various subjects, so I'd like to comment on these. I attach demonstrational videos, but I recommend reading the whole article - it's worth it.

CSRF worm

XSS worm


  1. The Facebook once again failed to protect from a simple XSS flaw, this time on their mobile site redirect script. It looks as their mobile site needs some attention - it was already exploited a few weeks ago. Come on, how many of these are still hiding in the FB code? This is basic stuff!

  2. The demonstrated Point of Concept attacks are state-of-the-art. Well commented, realistic, well thought out. Congratulations for @johnjean! Especially for preparing a full-blown XSS attack and not leaving it at dull and hermetic alert('XSS') and likes. As a sidenote: if you want to demonstrate the XSS quickly and make it interesting for the viewers - using Javascript Asteroids game is a great idea!

    Disclosure after disclosure, XSS PoC are getting more advanced - and it's good, because the effect of XSS flaws on sites are devastating and we need to capture the attention of the common users. This time the story is simple for them - once you click on a webpage, you lose your Facebook online credibility, just because there was a XSS flaw on a single page. And the flaw was active for months!

  3. Take a look at the code of the exploit for the CSRF flaw (1st video) - it's really an easy way of performing automatic multi-step exploitation. The script for harvesting  FB data is also interesting (the source for it has not been revealed).

  4. I still cannot believe that Facebook allowed for changing user's e-mail address without asking for his password first. It really is a fundamental flaw. Shame on you, FB.

I'm really looking forward to what @johnjean might come up with in the future.

1 comment:

Borys Łącki said...

Again, several errors made at a serious flaw. Very nice:}