Facebook Shuts Cross-Site Scripting Holes

Monday, April 22, 2013 @ 05:04 PM gHale


As the automation industry draws closer and closer to social media, it only makes sense to harp on the fact users need to be plenty careful when trying to leverage the great potential that is out there.

Along those lines, Facebook closed various cross-site scripting (XSS) holes.

RELATED STORIES
Spear Phishing: Energy Sector Targeted
Malware Hits Apache Servers
Blog Compromised Malware Injected
Spear Phishing Takes it Up a Notch

Discovered by security firm Break Security, the company’s chief executive, Nir Goldshlager, said the social network was vulnerable to attacks through its Chat feature as well as its “Check in” and Messenger for Windows components.

In the Chat window, for example, attackers were able to share links not adequately checked by Facebook. This enabled attackers to add disguised JavaScript commands to links that automatically inserted into href parameters by the Chat client. When users clicked on these specially crafted messages, the injected code executed on their systems.

The “Check in” service could end up manipulated by creating custom locations into which attackers were then able to inject JavaScript code through their settings. That client-side XSS code would then execute when users checked in at such a location.

Messenger for Windows could suffer a compromise by creating a Facebook page. Pages can send messages to all users. If JavaScript code entered as part of the page name, and the page sent out messages to users, the script would execute on users’ machines as soon as they logged into Messenger.



Leave a Reply

You must be logged in to post a comment.