Facebook vulnerable to critical XSS, could lead to malware attacks

Summary:Facebook, the second most popular social networking site in the U.S according to Nielsen, is currently vulnerable to a critical XSS, allowing the injection and execution of malicious scripts within the popular site.

Facebook, the second most popular social networking site in the U.S according to Nielsen, is currently vulnerable to a critical XSS, allowing the injection and execution of malicious scripts within the popular site. As you can seen in the attached screenshot, the harmless injected scripts in the demonstration successfully load, making it possible to abuse the trust relationship between Facebook and its users, in order to use the site as an infection vector. What are the implications of the this vulnerability, and has this infection vector already been abused in the past?

Facebook XSS vulnerability

The most recent related incidents serving malware and live exploit URLs, due to vulnerable web applications, successfully targeted a great number of high profile targets, introducing Zlob trojans in the form of fake video codecs, and was initially traced back to infrastructure provided by the Russian Business Network. Consequently, the potential for abusing the XSS within Facebook is fully realistic. It's also important to emphasize on another perspective, what if there wasn't a working XSS within Facebook? How would the malicious parties adapt in order to achieve their objectives, and harness the traffic of a reputable high-trafficked site if there are no vulnerabilities within, that they could exploit? They'll simply emphasize on the long tail of SQL injection attacks, and target everyone, everyone, so that the traffic generated from the hundreds of thousands affected web sites, could at least theoretically match the traffic that could have been received from a major high-profile site.

The security folks at Facebook have been notified, live fix is pending.

UPDATE: The vulnerability has been fixed at 15:07 PM.

Topics: Social Enterprise, Malware

About

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.