XSS Exploit Hidden In Facebook Bully Video

A security researcher discovered a new cross-site scripting (XSS) vulnerability on Facebook, days after the social networking giant patched a different XSS flaw in its mobile API. At least one active scam is exploiting the new bug at this time.

“Found another instance of that Facebook app XSS – and it’s a Facebook XSS issue. Do not click links involving a video of a bully,” Joey Tyson, a security engineer at Gemini Security Solutions, posted on Twitter. Tyson writes about social networking sites’ privacy and security issues on his blog, Social Hacking.

Malicious JavaScript Payload

The flaw has to do with the way browsers load particular links formatted in “a certain syntax” as Javascript even though they are not filtered by Javascript, Tyson said. It is more sophisticated than most XSS attacks as the actually video does load for the user. “The JS payload can do quite a bit,” Tyson added.

The app can post the link to the “video” on the user’s Wall, add the user to a scam event and send invites to the event to friends, and send out the link on Facebook Chat.

Many past Facebook scams displayed a page and told users to download a plugin – really malware – to view the video, or just redirected users to a survey or another malicious site. Viewers rarely saw the video they had clicked to see.

Facebook has informed Tyson that it is tracking the attack and will be pushing out an update “soon”, according to Tyson. Facebook has removed several of the apps already, which made it a little challenging for Tyson to find an active scam to analyse. He pasted the actual exploit code on text-sharing site Pastebin which pointed to a video titled “Pal Pushes Bully”.

A malicious app called “April Fools Prank” identified by Google engineer Ashish Bhatia on his personal blog appears to have used the same exploit, according to Tyson.

Users on Facebook who click on a link and land on an app page with an embedded video should not click on the video, Tyson warned. Infected users should check “liked” pages for any rogue sites and reset their passwords.

Tyson confirmed to eWEEK on Twitter that this flaw was different from the mobile API XSS flaw that Facebook patched on March 31.

The bug in the mobile API allowed malicious apps to automatically post spam messages on users’ Walls, according to Symantec. As unsuspecting friends clicked on the links embedded in the Wall posts, the infection spread even further. There were several copycat attacks exploiting this XSS flaw, which was caused by insufficient Javascript filtering.

Any user logged into Facebook and accessing a site with the malicious Javascript code on a mobile device would automatically post the Spam message on his or her Wall, said Symantec security expert Candid Wueest.

“There is no other user interaction required, and there are no tricks involved, like clickjacking. Just visiting an infected website is enough to post a message that the attacker has chosen,” said Wueest

Symantec advises users to log out of Facebook when they are not actively using it or to use script-blocking add-ons to prevent these kinds of attacks.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Share
Published by
Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago