- Jan 24, 2011
- 9,378
A Facebook cross-site scripting vulnerability was exploited by hackers to create an XSS worm with the purpose of spamming weight loss products.
According to security researchers from Symantec who analyzed the attack, the persistent XSS vulnerability leveraged was located somewhere in the application publishing form.
This allowed attackers to permanently inject malicious JavaScript code into rogue Facebook app pages.
Because the resulting pages were hosted under Facebook.com, the rogue code was executed by the browser in the context of the domain.
This allowed attackers to piggyback on the sessions of authenticated users and abuse them to perform unauthorized actions.
Links to the rogue pages were being distributed via private messages that read: "Hey, What the hell are you doing in this video? Is this dancing or what?? lol [link]"
Users who visited them saw a fake Flash Player update and were asked no to interrupt the process. This was used as a distraction to buy time for the real attack to execute.
While the users were waiting, in the background the malicious JavaScript code obtained their user IDs and forced their browsers to post status updates that promoted weight loss products and free iPads.
"Those spammed links point to harmless but annoying pages. Visiting those sites will not infect your profile, at least not at the time of writing this article," the Symantec researchers wrote.
More details - link
According to security researchers from Symantec who analyzed the attack, the persistent XSS vulnerability leveraged was located somewhere in the application publishing form.
This allowed attackers to permanently inject malicious JavaScript code into rogue Facebook app pages.
Because the resulting pages were hosted under Facebook.com, the rogue code was executed by the browser in the context of the domain.
This allowed attackers to piggyback on the sessions of authenticated users and abuse them to perform unauthorized actions.
Links to the rogue pages were being distributed via private messages that read: "Hey, What the hell are you doing in this video? Is this dancing or what?? lol [link]"
Users who visited them saw a fake Flash Player update and were asked no to interrupt the process. This was used as a distraction to buy time for the real attack to execute.
While the users were waiting, in the background the malicious JavaScript code obtained their user IDs and forced their browsers to post status updates that promoted weight loss products and free iPads.
"Those spammed links point to harmless but annoying pages. Visiting those sites will not infect your profile, at least not at the time of writing this article," the Symantec researchers wrote.
More details - link
