Facebook Bully Video Actually an XSS Exploit

A security researcher discovered a new cross-site-scripting vulnerability on Facebook, days after the social networking giant patched a different XSS flaw in its mobile API. At least one active scam is exploiting the new bug at this time.

"Found another instance of that Facebook app XSS—and it's a Facebook XSS issue. Do not click links involving a video of a bully," Joey Tyson, a security engineer at Gemini Security Solutions, posted on Twitter. Tyson writes about social networking sites' privacy and security issues on his blog, Social Hacking.

The flaw has to do with the way browsers load certain links formatted in "a certain syntax" as JavaScript even though they are not filtered by JavaScript, Tyson said. It is more sophisticated than most XSS attacks as the actually video does load for the user. The "JS payload can do quite a bit," Tyson added.

The app can post the link to the "video" on the user's wall, add the user to a scam event and send invites to the event to friends, and send out the link on Facebook Chat.

Many past Facebook scams displayed a page and told users to download a plug-in—really malware—to view the video, or just redirected users to a survey or another malicious site. Viewers rarely saw the video they'd clicked to see.

Facebook has informed Tyson that it is tracking the attack and will be pushing out an update "soon," according to Tyson. Facebook has removed several of the apps already, which made it a little challenging for Tyson to find an active scam to analyze. He pasted the actual exploit code on text-sharing site Pastebin, which pointed to a video titled "Pal Pushes Bully."

A malicious app called "April Fools Prank" identified by Google engineer Ashish Bhatia on his personal blog appears to have used the same exploit, according to Tyson.

Users on Facebook who click on a link and land on an app page with an embedded video should not click on the video, Tyson warned. Infected users should check "liked" pages for any rogue sites and reset their passwords.

Tyson confirmed to eWEEK on Twitter that this flaw was different from the mobile API XSS flaw that Facebook patched on March 31.

The bug in the mobile API allowed malicious apps to automatically post spam messages on users' walls, according to Symantec. As unsuspecting friends clicked on the links embedded in the wall posts, the infection spread even further. There were several copycat attacks exploiting this XSS flaw, which was caused by insufficient JavaScript filtering.

Any user logged into Facebook and accessing a site with the malicious JavaScript code on a mobile device would automatically post the spam message on his or her wall, said Symantec security expert Candid Wueest.

"There is no other user interaction required, and there are no tricks involved, like clickjacking. Just visiting an infected Website is enough to post a message that the attacker has chosen," said Wueest.

Symantec advises users to log out of Facebook when they are not actively using it or to use script-blocking add-ons to prevent these kinds of attacks.