Jump to content

Facebook Hit by XSS Worm

Starbuck
 Share

Recommended Posts

  • ExTS Admin
Starbuck Newbie

Starbuck

Posted
  • ExTS Admin
Posted

http://img.photobucket.com/albums/v708/starbuck50/facebook-1.jpg A Facebook cross-site scripting (XSS) vulnerability was used to launch a self-propagating spam worm on the social network, according to security researchers from Symantec.

 

The XSS vulnerability was located in the Facebook mobile API and was caused by insufficient JavaScript validation.

 

In order to exploit it, attackers created a Web page containing a specially crafted iframe element that forced all logged in Facebook users visiting it to post rogue messages on their walls.

 

By crafting the spammed message to lure users into visiting the malicious site, the hackers were able to create a self-propagating worm.

 

The Symantec experts say the vulnerability was exploited in more limited attacks before being used to launch the worm, but also note that more copy cats followed the initial wave.

 

Some browsers have anti-XSS filters built-in by default, but they are not very efficient. The only one that can block a significant number of attacks is included in the NoScript Firefox extension.

 

XSS worms used to be quite frequent in 2009, however, social media websites have since gotten better at preventing such attacks.

 

Nevertheless, some continue to pop up from time to time. Actually, the last one launched on Facebook occurred earlier this month and was used to spread weight loss spam.

 

In October last year, French security researchers demonstrated two information stealing worms that worked by exploiting cross-site request forgery and cross-site scripting vulnerabilities on Facebook.

 

According to Symantec's Candid Wueest, Facebook has since addressed the vulnerability. "Facebook has informed us that they have patched this XSS vulnerability. In addition, they are currently working on steps to remediate damage caused by the attacks," he says.

 

Last year Twitter was hit by a massive and more resilient XSS worm that locked hundreds of thousands of users out of their accounts.

 

 

 

Source:

http://news.softpedia.com/news/Facebook-Hit-by-XSS-Worm-192045.shtml

Member of:

UNITE

  • Replies 0
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...