A security researcher has identified a bully video as a malicious app exploiting yet another cross-site-scripting vulnerability on Facebook with a very sophisticated payload.
security researcher discovered a new cross-site-scripting vulnerability on
Facebook, days after the social networking giant patched a different XSS flaw
in its mobile API. At least one active scam is exploiting the new bug at this
another instance of that Facebook app XSS-and it's a Facebook XSS issue. Do not
click links involving a video of a bully," Joey
, a security engineer at Gemini Security Solutions, posted on Twitter.
Tyson writes about social networking sites' privacy and security issues on his
blog, Social Hacking.
flaw has to do with the way browsers load certain links formatted in "a
Tyson said. It is more sophisticated than most XSS attacks as the actually
video does load for the user. The "JS payload can do quite a bit,"
app can post the link to the "video" on the user's wall, add the user
to a scam event and send invites to the event to friends, and send out the link
on Facebook Chat.
past Facebook scams displayed a page and told users to download a plug-in-really
, or just redirected users to a survey or another malicious site.
Viewers rarely saw the video they'd clicked to see.
has informed Tyson that it is tracking the attack and will be pushing out an
update "soon," according to Tyson. Facebook has removed several of
the apps already, which made it a little challenging for Tyson to find an
active scam to analyze. He pasted the actual exploit code on text-sharing site
Pastebin, which pointed to a video titled "Pal Pushes Bully."
malicious app called "April
" identified by Google engineer Ashish Bhatia on his personal
blog appears to have used the same exploit, according to Tyson.
on Facebook who click on a link and land on an app page with an embedded video
should not click on the video, Tyson warned. Infected users should check "liked"
pages for any rogue sites and reset their passwords.
confirmed to eWEEK on Twitter that this flaw was different from the mobile API
XSS flaw that Facebook patched on March 31.
bug in the mobile API allowed malicious apps to automatically post spam
messages on users' walls, according to Symantec. As unsuspecting
clicked on the links embedded in the wall posts, the infection
spread even further. There were several copycat attacks exploiting this XSS
code on a mobile device would automatically post the spam message on his or her
wall, said Symantec security expert Candid Wueest.
is no other user interaction required, and there are no tricks involved, like
clickjacking. Just visiting an infected Website is enough to post a message
that the attacker has chosen," said Wueest.
advises users to log out of Facebook when they are not actively using it or to
use script-blocking add-ons to prevent these kinds of attacks.