Facebook Hit by XSS Worm

[Peaches]

Facebook Hit by XSS Worm

March 30th, 2011, 07:30 GMT| By Lucian Constantin

A Facebook cross-site scripting (XSS) vulnerability was used to launch a self-propagating spam worm on the social network, according to security researchers from Symantec.

The XSS vulnerability was located in the Facebook mobile API and was caused by insufficient JavaScript validation. In order to exploit it, attackers created a Web page containing a specially crafted iframe element that forced all logged in Facebook users visiting it to post rogue messages on their walls. By crafting the spammed message to lure users into visiting the malicious site, the hackers were able to create a self-propagating worm.

The Symantec experts say the vulnerability was exploited in more limited attacks before being used to launch the worm, but also note that more copy cats followed the initial wave. Some browsers have anti-XSS filters built-in by default, but they are not very efficient. The only one that can block a significant number of attacks is included in the NoScript Firefox extension.

XSS worms used to be quite frequent in 2009, however, social media websites have since gotten better at preventing such attacks. Nevertheless, some continue to pop up from time to time. Actually, the last one launched on Facebook occurred earlier this month and was used to spread weight loss spam.

Details - http://news.softpedi...rm-192045.shtml