A security researcher discovered a new cross-site-scripting vulnerability on Facebook, days after the social networking giant patched a different XSS flaw in its mobile API. At least one active scam is exploiting the new bug at this time.
“Found another instance of that Facebook app XSS—and it’s a Facebook XSS issue. Do not click links involving a video of a bully,”Joey Tyson, a security engineer at Gemini Security Solutions, posted on Twitter. Tyson writes about social networking sites’ privacy and security issues on his blog, Social Hacking.
The app can post the link to the “video” on the user’s wall, add the user to a scam event and send invites to the event to friends, and send out the link on Facebook Chat.
Many past Facebook scams displayed a page and told users to download a plug-in—really malware—to view the video, or just redirected users to a survey or another malicious site. Viewers rarely saw the video they’d clicked to see.
Facebook has informed Tyson that it is tracking the attack and will be pushing out an update “soon,” according to Tyson. Facebook has removed several of the apps already, which made it a little challenging for Tyson to find an active scam to analyze. He pasted the actual exploit code on text-sharing site Pastebin, which pointed to a video titled “Pal Pushes Bully.”