Critical Facebook XSS serves as proofResearchers warn that HTML5 support might pose serious security problems for websites by making code formerly thought secure, vulnerable. A critical and undetectable cross-site scripting hole on Facebook was used to demonstrate the concept.
For demonstrative purposes Mr. Austin exploited this shortcoming on Facebook's popular Web interface for smartphones available at touch.facebook.com. This page loads content in a div via AJAX and doesn't employ frame busting protection.
There are several additional issues with such an attack. For one, the part after # in the URL is not captured in logs, so the webmasters can't see the unauthorized requests. Then, because everything happens on the client side, server-side parameter filtering (WAF) wouldn't help.
According to Mr. Austin an attacker could include an IFrame exploiting this issue into a rogue website and then trick users into visiting it. If a victim has an active Facebook session, the attacker gains complete control over touch.facebook.com and can view their name, email, phone, photos, read and send messages from their account, post comments and even add friends. With a bit more fiddling the attacker can also take control of a facebook app owned by the victim.
Facebook has addressed this security issue, but the social networking website is not alone in this mess. Many websites which rely on similar methods of serving content, including some jQuery libraries, are also affected. “Cross-Origin Resource Sharing is currently available in Firefox 3.5, Safari 4, and Google Chrome 2. IE8 supports CORS with the XDomainRequest function instead of the existing XMLHttpRequest,” Austin notes.
You can follow the editor on Twitter @lconstantin