Facebook closes cross-site scripting holes
Contributed by: Email on 04/19/2013 02:42 PM
[
Comments
]
Facebook has closed various cross-site scripting (XSS) holes that were discovered by security firm Break Security and which have now been described in greater detail. Break Security's CEO, Nir Goldshlager, explains that the social network was vulnerable to attacks through its Chat feature as well as its "Check in" and Messenger for Windows components.
In the Chat window, for example, attackers were able to share links that weren't adequately checked by Facebook. This enabled attackers to add disguised java script commands to links that were then automatically inserted into href parameters by the Chat client. When users clicked on these specially crafted messages, the injected code was executed on their systems.
The "Check in" service could be manipulated by creating custom locations into which attackers were then able to inject java script code through their settings. That client-side XSS code was executed when users checked in at such a location.
Messenger for Windows could be compromised by creating a Facebook page. Pages can send messages to all users. If java script code was entered as part of the page name, and the page sent out messages to users, the script would be executed on users' machines as soon as they logged into Messenger.
Check the images HERE
In the Chat window, for example, attackers were able to share links that weren't adequately checked by Facebook. This enabled attackers to add disguised java script commands to links that were then automatically inserted into href parameters by the Chat client. When users clicked on these specially crafted messages, the injected code was executed on their systems.
The "Check in" service could be manipulated by creating custom locations into which attackers were then able to inject java script code through their settings. That client-side XSS code was executed when users checked in at such a location.
Messenger for Windows could be compromised by creating a Facebook page. Pages can send messages to all users. If java script code was entered as part of the page name, and the page sent out messages to users, the script would be executed on users' machines as soon as they logged into Messenger.
Check the images HERE
Comments
