On Tue, Dec 9, 2008 at 2:41 PM, Facebook IsBuggy <[EMAIL PROTECTED]> wrote: > Found in August, I tried to alert facebook as quickly as was possible > - however I received no further correspondence to my communications. > At time of writing, it was possible to exploit both Firefox 3 and IE 7 > - by simply using an IFRAME or even an object tag. (Dependant on the > browser target) > > This allows you to overwrite the whole page with your choice of script/embed.
Although the domain is 2.channel15.facebook.com, all the significant Facebook cookies appear to be .facebook.com domain cookies so wouldn't the more significant attack involve those, rather than some elaborate phishing scheme? > > Vulnerability was found by accident when I was routing my web traffic > via WebScarab with an advanced list of strings to use with the > in-built XSS/CSRF tool. > > ---------------- > > http://2.channel15.facebook.com/iframe/7/?pv=49&rev=";></script><title>Google</title></head></body><IFRAME > src="http://www.google.com/"; type="text/html" width="100%" > height="100%"></IFRAME> > > Naturally that rather obvious URL could be encoded, or cut down to > prevent the obvious anomaly. However, I feel the facebook domain name > itself would be enough to fool most users. This is not a significant aspect of this vulnerability. You could go and register http://www.facebook-secure.com/ (or similar) and that would leave users more than happy to believe & trust it is Facebook. Things can be different if the XSS is on an https-supporting login domain, but that does not seem to be the case here. Cheers Chris > > http://2.channel15.facebook.com/iframe/7/?pv=49&rev=%22%3E%3C/script%3E%3Ctitle%3EGoogle%3C/title%3E%3C/head%3E%3C/body%3E%3CIFRAME%20src%3D%22http%3A//www.google.com/%22%20type%3D%22text/html%22%20width%3D%22100%25%22%20height%3D%22100%25%22%3E%3C/IFRAME%3E > > ---------------- > > *Similar vulnerabilities had been spoken about on a credit card fraud > (carding) forum prior to my discovery of this. Possibly for the use of > phisihing.* > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
