Today we present a another flaw on facebook which a site cross scripting on different places (chat,checkin and messenger). The security researcher with twitter handle “@Nirgoldshlager” on break the security made the POC online with a video.The first Bug he found was on the facebook chat.when making a new conversation inside facebook,there link is sent like a attachment so changing the request into something malicious the attacker was able to get the payload to work <a href=”javascript:alert(6)”>PoC Click Me</a> everytime the message is click the xss is executed.
The second bug was on the check-in page where the xss is executed wherever the attacker has went.For this attacker has to create a new place(https://www.facebook.com/pages/create/) and execute the vector there
<img src=”a.jpg”onerror=javascript:alert(6)>
The Third one was on the faceboook messenger(windows) this can be done when setting a malicious name to the payload where on sending the message everytime the user clicks the link xss is executed.
Facebook on the verge of patching this as the poc is public.
Source: Here
0 comentários:
Postar um comentário