Facebook XSS flaw misused for automatic Wall posting
Posted on 29 March 2011.
A currently unpatched XSS vulnerability in the mobile API version of Facebook is currently being exploited to post messages to users' Walls, which serve as a gateway to the specially crafted website exploiting the flaw.

The flaw has been misused for a while now, but has only recently been used widely. Indonesian users are currently targeted by various groups using the vulnerability to their advantage.

"It allows any website to include, for example, a maliciously prepared iframe element that contains JavaScript or use the http-equiv attribute’s “refresh” value to redirect the browser to the prepared URL containing the JavaScript," explains Symantec. "Any user who is logged into Facebook and visits a site that contains such an element will automatically post an arbitrary message to his or her wall."

No user interaction is needed, so the messages are spreading through Facebook at a fast pace. Facebook's security team has been notified about the vulnerability and is working on a fix. Hopefully it will be issued soon, since the attack seems easy to recreate.

Symantec advises users to log out of Facebook when they are not actively using it or to use script-blocking add-ons to prevent the attack.






Spotlight

Windows 0-day exploited in ongoing attacks, temporary workarounds offered

Posted on 22 October 2014.  |  A new Windows zero-day vulnerability is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 23rd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //