XSS Vulnerability at thefacebook.com
XSS Vulnerability at thefacebook.com
Not surprisingly, ``thefacebook'' <http://www.thefacebook.com/>
contains an XSS hole. Basically, the signup form for paid
announcements lets you add a school to display the announcement at.
The script that adds the school accepts the name of the school as the
"add" argument. Any HTML can be injected here, leading to an XSS
exploit. Here's a sample injection:
http://www.thefacebook.com/announce.php?step=1&add=
<script>
var c = document.cookie;
alert("Security hole. ");
document.write("Your cookie is: <b>");
document.write(c);
document.write("</b>.<br><br><h1><font color=red>All of your personal
information has been compromised.</b></font></h1></html>");
</script>
(pretty printed for easy analysis; put everything on one line to test
this)
This can be used to steal a user's session cookie if you can convince
him to click the link. That should be easy since thefacebook.com often
sends e-mails saying "click here to join XYZ group". Just make one
look convincing and you can conceivably obtain the personal information
of anyone at the school that that user attends. Seems like an
excellent way to harvest e-mail addresses, cell phone numbers, AIM
screennames, etc.
Obviously you would need to modify the above script to do this; the
code above prints the user's cookie, displays a dialog that says
"Security hole.", and writes "All of your personal information has been
compromised." to the screen in a scary red font.
For those just tuning in, the usual way of exploiting XSS holes is to
load an image or iframe from a site you control with the output of
document.cookie in the URL somewhere. Then you can extract the stolen
cookies from your access log. Even more fun is load a remote perl
script and send the cookie as the argument. Then your script can call
curl --cookie "example=cookie" and get a privileged page. Then you can
parse it and display key facts back to the user (via an iframe). For
example, you could write: "Your personal information has been stolen.
Your girlfriend's phone number is 123.456.7890" Perhaps this will
teach users not to supply their personal information to an insecure,
untrusted site that presumably profits from allowing other people to
view this information!
In addition, it also seems like this hole can allow you to get a
discount on their advertising rates. For example, adding the school
named 'Ill.%20Chicago%20<b>' will reduce the ad rate from $12 to $10
(at the time of this writing; the web form looked like it would have
let me pay $10 for an ad at "Ill. Chicago").
The latest version of this advisory is available at:
<http://www.uic.edu/~jrockw2/20050207_facebook.txt>
Regards,
--
Jonathan Rockway <jrockway@xxxxxxxxxxxx>
Student - University of Illinois at Chicago
http://www.uic.edu/~jrockw2/index.html