Facebook Vulnerable To Serious XSS Attack

If you can't trust your friends, who can you trust? On Facebook, you better think before you click that link, a security researcher warns ...

Dark Reading logo in a gray background | Dark Reading

If you can't trust your friends, who can you trust? On Facebook, you better think before you click that link, a security researcher warns ...According to the cross-site scripting attack information site , security researcher Mox has submitted a critical XSS vulnerability that would make it possible for attackers to infect users with spyware, adware, and just maybe anything else they want.

This is a serious vulnerability and it makes it possible for attackers to leverage the trust of 70 million Facebook users.

Hopefully, this gets fixed soon.

A harmless example of the attack is available here.

If you tried the example above, and had that dialog box been a real attack, you could have been really, really, hosed.

XSS attacks are a rapidly growing scourge within Web applications. In effect, they enable an attacker to insert code into Web pages so that sessions can be hijacked, and anything from Trojans to spyware to annoying adware can be served.

It was just over a month ago that XSS vulnerabilities were spotted at the Web sites of both Barack Obama and Hillary Clinton.

Adrienne Felt, a student at the University of Virginia School of Engineering, wrote an interesting paper on security and the Facebook platform. If you're interested in more detail on how these sort of attacks work, that paper, "Defacing Facebook: A Security Case Study," is available here.

A video demo of Felt's work is here.

In the most recent edition of the Open Web Application Security Project (OWASP) Top Ten vulnerabilities, XSS tops the list.

About the Author

George V. Hulme, Contributing Writer

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights