XSS Vulnerability at thefacebook.com

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: XSS Vulnerability at thefacebook.com
From: Jonathan Rockway <jrockw2@xxxxxxx>
Date: Mon, 7 Feb 2005 08:05:23 -0600
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

XSS Vulnerability at thefacebook.com

Not surprisingly, ``thefacebook'' <http://www.thefacebook.com/>contains an XSS hole. Basically, the signup form for paidannouncements lets you add a school to display the announcement at.The script that adds the school accepts the name of the school as the"add" argument. Any HTML can be injected here, leading to an XSSexploit. Here's a sample injection:


http://www.thefacebook.com/announce.php?step=1&add=
<script>
var c = document.cookie;
alert("Security hole. ");
document.write("Your cookie is: <b>");
document.write(c);

document.write("</b>.<br><br><h1><font color=red>All of your personalinformation has been compromised.</b></font></h1></html>");

</script>

(pretty printed for easy analysis; put everything on one line to testthis)

This can be used to steal a user's session cookie if you can convincehim to click the link. That should be easy since thefacebook.com oftensends e-mails saying "click here to join XYZ group". Just make onelook convincing and you can conceivably obtain the personal informationof anyone at the school that that user attends. Seems like anexcellent way to harvest e-mail addresses, cell phone numbers, AIMscreennames, etc.

Obviously you would need to modify the above script to do this; thecode above prints the user's cookie, displays a dialog that says"Security hole.", and writes "All of your personal information has beencompromised." to the screen in a scary red font.

For those just tuning in, the usual way of exploiting XSS holes is toload an image or iframe from a site you control with the output ofdocument.cookie in the URL somewhere. Then you can extract the stolencookies from your access log. Even more fun is load a remote perlscript and send the cookie as the argument. Then your script can callcurl --cookie "example=cookie" and get a privileged page. Then you canparse it and display key facts back to the user (via an iframe). Forexample, you could write: "Your personal information has been stolen.Your girlfriend's phone number is 123.456.7890" Perhaps this willteach users not to supply their personal information to an insecure,untrusted site that presumably profits from allowing other people toview this information!

In addition, it also seems like this hole can allow you to get adiscount on their advertising rates. For example, adding the schoolnamed 'Ill.%20Chicago%20<b>' will reduce the ad rate from $12 to $10(at the time of this writing; the web form looked like it would havelet me pay $10 for an ad at "Ill. Chicago").


The latest version of this advisory is available at:
<http://www.uic.edu/~jrockw2/20050207_facebook.txt>

Regards,
--
Jonathan Rockway <jrockway@xxxxxxxxxxxx>
Student - University of Illinois at Chicago
http://www.uic.edu/~jrockw2/index.html

Prev by Date: [SECURITY] [DSA 669-1] New php3 packages fix several vulnerabilities
Next by Date: VOIPSEC
Previous by thread: [SECURITY] [DSA 669-1] New php3 packages fix several vulnerabilities
Next by thread: VOIPSEC
Index(es):
- Date
- Thread