May 23rd, 2008

Facebook vulnerable to critical XSS, could lead to malware attacks

Posted by Dancho Danchev @ 7:12 am

Categories: Responsible disclosure, Spyware and Adware, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Facebook, XSS, Malware, Malicious Script, Malicious iFrame, Drive-by Exploits, Dancho Danchev

Facebook, the second most popular social networking site in the U.S according to Nielsen, is currently vulnerable to a critical XSS, allowing the injection and execution of malicious scripts within the popular site. As you can seen in the attached screenshot, the harmless injected scripts in the demonstration successfully load, making it possible to abuse the trust relationship between Facebook and its users, in order to use the site as an infection vector. What are the implications of the this vulnerability, and has this infection vector already been abused in the past?

The most recent related incidents serving malware and live exploit URLs, due to vulnerable web applications, successfully targeted a great number of high profile targets, introducing Zlob trojans in the form of fake video codecs, and was initially traced back to infrastructure provided by the Russian Business Network. Consequently, the potential for abusing the XSS within Facebook is fully realistic. It’s also important to emphasize on another perspective, what if there wasn’t a working XSS within Facebook? How would the malicious parties adapt in order to achieve their objectives, and harness the traffic of a reputable high-trafficked site if there are no vulnerabilities within, that they could exploit? They’ll simply emphasize on the long tail of SQL injection attacks, and target everyone, everyone, so that the traffic generated from the hundreds of thousands affected web sites, could at least theoretically match the traffic that could have been received from a major high-profile site.

The security folks at Facebook have been notified, live fix is pending.

UPDATE: The vulnerability has been fixed at 15:07 PM.