Project XSSed, the clearing house for cross site scripting flaws has just released details on four flaws affecting Facebook's developers page, iPhone login page and the new users registration page, potentially assisting malicious attackers into adding more legitimacy to their campaigns.
Take Koobface for instance. It scaled so efficiency without exploiting any social networking site specific flaw, only through social engineering tactics forwarding the entire spreading process to the already infected user, which in a trusted environment of friends proved to be a successful form of spreading. Despite the possibility for active exploitation of such flaws in phishing and malware campaigns, cybercriminals appear no be no longer interested in such noisy approaches, at least not while attempting to spread malware across social networking sites. Among the main reasons for this is the fact that their entire campaign would be based on a single propagation vector, which when taken care of through technical measn would render their campaign useless. Instead, just like the Koobface gang continues to do, they mix the social engineering vectors by abusing legitimate brands as redirectors to the malware infected hosts serving the fake YouTube videos.