Facebook Hit by XSS Worm


Recommended Posts

Facebook Hit by XSS Worm

March 30th, 2011, 07:30 GMT| By Lucian Constantin

A Facebook cross-site scripting (XSS) vulnerability was used to launch a self-propagating spam worm on the social network, according to security researchers from Symantec.

The XSS vulnerability was located in the Facebook mobile API and was caused by insufficient JavaScript validation. In order to exploit it, attackers created a Web page containing a specially crafted iframe element that forced all logged in Facebook users visiting it to post rogue messages on their walls. By crafting the spammed message to lure users into visiting the malicious site, the hackers were able to create a self-propagating worm.

The Symantec experts say the vulnerability was exploited in more limited attacks before being used to launch the worm, but also note that more copy cats followed the initial wave. Some browsers have anti-XSS filters built-in by default, but they are not very efficient. The only one that can block a significant number of attacks is included in the NoScript Firefox extension.

XSS worms used to be quite frequent in 2009, however, social media websites have since gotten better at preventing such attacks. Nevertheless, some continue to pop up from time to time. Actually, the last one launched on Facebook occurred earlier this month and was used to spread weight loss spam.

Details - http://news.softpedi...rm-192045.shtml

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...