Facebook XSS in the wild

**Google** · 09-03-2010

Check this, it was found today:
http://www.facebook.com/photo_search...29946463714673

Now hackers can benefit from this to hijack accounts until facebook fixes the bug.

SysTaMatIcS · 09-03-2010

So i can write whatever i want in this? instead of heya , how can hacker make use of this?
<script>alert('HEYYAAA')</script>

RUSSIAN · 09-03-2010

Replace it with any JS code you want.

**Google** · 09-04-2010

Quote:

Originally Posted by SysTaMatIcS

So i can write whatever i want in this? instead of heya , how can hacker make use of this?
<script>alert('HEYYAAA')</script>

This HEYYAAA alert box is a proof of concept of the exploit. It means that you can inject JavaScript code on this page. Injecting JavaScript in the page means that you are able to steal other user's cookies. Stealing other user's cookie means you are able to impersonate that user and hijack his/her account.

**Google** · 09-06-2010

This exploit is now fixed by Facebook team.
"Yalli darab darab, wyalli harab harab"

**Google** · 04-02-2011

Video:

You Tube

I reported this vulnerability to Facebook and xssed.com so it will soon be fixed. Enjoy for now

SysTaMatIcS · 04-03-2011

lol get a job at fb , security counselor

09-03-2010	#1
Google Last Online: 05-30-2013 Join Date: Jan 2008 Posts: 1,788 Thanks: 10,018 Thanked 1,100 Times in 651 Posts Groans: 1 Groaned at 6 Times in 6 Posts	Facebook XSS in the wild Check this, it was found today: http://www.facebook.com/photo_search...29946463714673 Now hackers can benefit from this to hijack accounts until facebook fixes the bug. __________________

09-03-2010	#2
SysTaMatIcS Registered Member Last Online: 10-14-2022 Join Date: Dec 2006 Posts: 10,467 Thanks: 14,136 Thanked 4,244 Times in 2,547 Posts Groans: 186 Groaned at 198 Times in 120 Posts	So i can write whatever i want in this? instead of heya , how can hacker make use of this? <script>alert('HEYYAAA')</script> __________________ problems of performance appraisal is that it sucks to memorize them

09-03-2010	#3
RUSSIAN Registered Member Last Online: 10-08-2023 Join Date: Nov 2009 Posts: 569 Thanks: 838 Thanked 232 Times in 174 Posts Groans: 24 Groaned at 16 Times in 13 Posts	Replace it with any JS code you want. __________________ What about a 500+ symbols long, colored signature with URL allowed and size limited to 7?

09-06-2010	#5
Google Last Online: 05-30-2013 Join Date: Jan 2008 Posts: 1,788 Thanks: 10,018 Thanked 1,100 Times in 651 Posts Groans: 1 Groaned at 6 Times in 6 Posts	This exploit is now fixed by Facebook team. "Yalli darab darab, wyalli harab harab" __________________

04-03-2011	#7
SysTaMatIcS Registered Member Last Online: 10-14-2022 Join Date: Dec 2006 Posts: 10,467 Thanks: 14,136 Thanked 4,244 Times in 2,547 Posts Groans: 186 Groaned at 198 Times in 120 Posts	lol get a job at fb , security counselor __________________ problems of performance appraisal is that it sucks to memorize them

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)