Facebook and XSS – a sample in action! :P
Today, I checked Facebook and got a spam wall post. I suspected it was an FB API + XSS exploit and looked into this matter. What a coincidence with the new project! =P
So after the first Google result I get a complete rundown on how to XSS exploit someone’s account.
http://www.cs.virginia.edu/felt/fbook/facebook-xss-censored.pdf
turns out it is fairly simple to execute!
This shows how even some of the most trusted sites where we share a lot of information can be manipulated to do malicious things. This is one of the real weaknesses of social networking and a open applications API, as javascript works across a whole page without private/public members that we are accustomed to in traditional OOP.
Comment by felixctc
March 8, 2008 @ 1:53 pm
To tie this to what we learned recently from a guest lecture, it also shows how important it is to take security into considerations during the design and implementation stage in a software development lifecycle. This way, attacks like this wouldn’t be so easy to execute.
Here’s a link that talks a little more about hackers attacks on MySpace and facebook.:
http://www.computing.co.uk/vnunet/news/2210932/buffer-overflow-hacks-target
Comment by joyleung
March 10, 2008 @ 10:43 pm
It is somewhat frightening how easy it can be to look up working exploits for software on the internet. Especially if it is the first hit on google. Is it right for people to research into weaknesses (like breaking encryption) and post them openly on the internet? I just wonder if the damage done by posting flaws on the internet exceed the damage that would be done if the software company were contacted privately.