In this video, I demonstrate a facebook cross side scripting vulnerability being taking advantage of.
So right now, I am in Safari, log into my fake account viewing my fake account’s profile. Scroll down to the bottom; you can see the last post was made by a guy named Andrew. And also, I currently only have 1 friend, also name Andrew.
I am going to go to Firefox now. The exploit is setup to working Firefox and now, it is in Safari. Logging into my real account now, viewing my fake account’s profile. As you can see, style sheet is being placed over the facebook 1 and also, 2 ivories had been injected.
And that is how by frame, friend request was sense by the viewer without my approval to my fake account and now in that fake account, I am going to accept that friend request.
Once I have accepted the friend request, the little chicken playing in the 2nd I frame will work but, 2nd I frame just dreads on the wall. But, you can write on the wall until you have been friends to someone.
So, I am going to refresh now to make the viewer write on the wall and as you can see, the style sheet is not applied immediately because it is been injected after the facebook style sheets have most uploaded. And, that is how by frame, nothing is really going to happen because we are already friends. But in the bottom one, I have now just re in to my fake account’s wall.
Because I am not calling the Ajax, if you scroll to the bottom, does not appear, viewers does not know anything’s happened. So, in order to see the results, we are going to have to refresh.
Once you refresh, you can scroll down to the bottom and what will see is that I have now just written on the wall without actually doing anything.
You are probably saying cute right? But, it is just wall post. Why is it matter?
Actually, this script can do anything the viewer can do. Facebook uses hidden form ideas to keep attackers from submitting forms on the behalf of the unwanting users. However, once mucous code is imbedded in the site, that form ID can be access by the attacker. It is after can inject I frames, much like I did.
I made the I frames visible for the sake of demonstration, but they can be made invisible so the viewer has no idea that this is happening.
Those frames commence submit forms and then occasion credentials of the user. The attacker can issue friend request, make well post and turn off privacy settings all well impersonating the viewer.
The code can also interestingly and stuff third party facebook applications to the viewer’s account to try to spread.
Transcription by:
Scribe4you Transcription Services