Join the God Side, Jesus is Coming…….

Source: eweek

A security researcher discovered a new cross-site-scripting vulnerability on Facebook, days after the social networking giant patched a different XSS flaw in its mobile API. At least one active scam is exploiting the new bug at this time.

“Found another instance of that Facebook app XSS—and it’s a Facebook XSS issue. Do not click links involving a video of a bully,”Joey Tyson, a security engineer at Gemini Security Solutions, posted on Twitter. Tyson writes about social networking sites’ privacy and security issues on his blog, Social Hacking.

The flaw has to do with the way browsers load certain links formatted in “a certain syntax” as JavaScript even though they are not filtered by JavaScript, Tyson said. It is more sophisticated than most XSS attacks as the actually video does load for the user. The “JS payload can do quite a bit,” Tyson added.

The app can post the link to the “video” on the user’s wall, add the user to a scam event and send invites to the event to friends, and send out the link on Facebook Chat.

Many past Facebook scams displayed a page and told users to download a plug-in—really malware—to view the video, or just redirected users to a survey or another malicious site. Viewers rarely saw the video they’d clicked to see.

Facebook has informed Tyson that it is tracking the attack and will be pushing out an update “soon,” according to Tyson. Facebook has removed several of the apps already, which made it a little challenging for Tyson to find an active scam to analyze. He pasted the actual exploit code on text-sharing site Pastebin, which pointed to a video titled “Pal Pushes Bully.”



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Tag Cloud

%d bloggers like this: