XSS flaw of Facebook is unpatched and explored for Wall posting
By Gina on March 30, 2011 | Vulnerabilities, Facebook XSS flaw, Facebook XSS vulnerability, Facebook vulnerability, rogue messages
It was recently noted that unpatched XSS flaw in the mobile API version of Facebook has been used by cybercriminals for posting messages on user’s Walls. These rogue messages link victims to the website which exploits the vulnerability.
This recent vulnerability has been exploited for some time; however, it spreads widely just now. Nowadays Indonesians have been targeted by various groups that use this flaw for their malicious intentions.
For this matter, Symantec commented: “It allows any website to include, for example, a maliciously prepared iframe element that contains JavaScript or use the http-equiv attribute’s “refresh” value to redirect the browser to the prepared URL containing the JavaScript. Any user who is logged into Facebook and visits a site that contains such an element will automatically post an arbitrary message to his or her wall.“
These messages are spreading by their selves and do not need users to do anything. Facebook’s security team is already aware of such vulnerability and is trying to fix the flaw. Users are recommended to close their Facebook account when they are not using it actively or to use script-blocking add-ons preventing such an attack of cybercriminals.
More Vulnerabilities news
Shocking: 9 out of 10 websites still vulnerable to old attacks
Did you know that less than 10% of websites are safe from attacks that have struck the internet in 2009? Back then there was a breakout of Man-in-the-middle (MITH) attacks that included an injection of a malicious code in to the browser but even after 3 years these problems are very sensitive. SSL Pulse reportIt seems that companies live in a bubble as far as IT safety is concerned. A project called SSL Pulse that is monitoring 200. Read more.- Mozilla's decision: Firefox is blocked from running unpatched Java plugins
- Facebook still is a wonderland for cybercriminals
- Microsoft talks about dangerous flaw in a Windows
- 17 high-risk flaws are fixed in Chrome; Google pays $47,500 in bug bounties
- Google bypassed Safari's No Tracking settings
- Research reveals – 4/5 of security threats come from third-party software
- Google Wallet hack revealed
- Denial-of-service flaw is fixed by Oracle
- Firefox 9.0 and four critical flaws fixed
- Major flaw of Adobe Reader and Acrobat 9.x is patched
