Persistent XSS Vulnerability in Facebook

There is a Javascript spam trick on Facebook resulting in spam messages being posted on many user accounts. First mentioned yesterday by our colleagues at GFI Software, the persistent cross-site scripting vulnerability still remains unpatched as of this writing. So, what happened? Some attacker has discovered a new method to inject Javascript through specially crafted Facebook application pages. Normally the script would be removed by filters before the page is shown to the user, but in this case, it is able to slip through. The malicious script will then be executed in the context of Facebook.com, allowing it to perform requests under the user’s session. Keep in mind this happens before the application asks for any permissions. Visiting the page while being logged into Facebook is enough to get it started, which is normally the case when a user is viewing new messages.

When following such a link, the malicious script shows a fake update procedure for the Adobe Flash Player as a distraction. The user is intimidated with warnings when attempting to leave the page too early, but the whole attack only takes a few seconds to complete.

Meanwhile in the background, the script checks who is currently viewing the page by parsing the current site for the user’s ID. The script than starts issuing hidden AJAX requests to get the user’s profile page from Facebook. Because the user is logged in and has a valid session, the script can perform all the needed actions to submit a post, a classic session-riding attack. In this case, it will post a link to some spam sites. The script also ensures that it only posts once per user by checking if there is already a spam message shown on the user’s wall. The posted messages vary and are updated by the attacker. We have seen advertisements for “weight loss products” and also “free iPad give away” campaigns being used, as can be seen in the screenshot. Those spammed links point to harmless but annoying pages. Visiting those sites will not infect your profile, at least not at the time of writing this article.

But the script has more to it; it will also search for any of your friends UID’s and send them a direct message with a link to an infected application site. This way your friends might fall for the malicious script and start a new wave all over again. So watch out for suspicious private messages from your friends.

One of the bait messages sent is: “Hey, What the hell are you doing in this video? Is this dancing or what?? lol http://[removed]”

Such injected malicious scripts have a high potential for doing all sorts of damage. It could modify your profile or, as in this case, send out infected messages, or even possibly add apps or friends. Even if the script would do something that needs a CAPTCHA to be solved, it could reflect it back to the user and try a social engineering trick in order to get the user to solve it.

This example is just another example of the sophisticated attacks that we see on Facebook every day. On a side note, the same domain is also used to serve a Facebook phishing site with a fake login screen. So clearly the attackers are running various scams on the side.

Fortunately we have not seen the injection vulnerability being used by other attack groups yet. The security team at Facebook has been informed and is working to patch the vulnerability in short order. Measures have already been implemented to short circuit any further attempts at exploitation.