Um bug XSS encontrado (e fixo) em

facebook-stforumTodos nós amamos o Facebook, mas sabemos como é seguro? Pelo visto, não é tão seguro quanto deveria, as disclosed by the independent security researcher Jack Whitton also known as fin1te. The UK researcher just published an unbelievable story involving an XSS bug (cross-site-scripting) and Facebook’s content delivery network.

The researcher reported the bug back in July 2015 but didn’t go public just until few days ago.

Why Are XSS Bugs Dangerous?

What is an XSS vulnerability? An XSS-powered attack takes place when malicious actors implement malicious scripts to legitimate websites. An XSS vulnerability is exploited when you, por exemplo, send a website content that includes embedded malicious JavaScript. The website will later include the code in its reply.

Every time a website shows any content that comes from another source (such as an uploaded file or included in a URL address), the website should filter out any suspicious characters. Keep in mind that such characters usually include brackets and < > signs. Such signs are used to denote parts of a page that should be managed as images, ligações, Scripts, etc.

The XSS Bug in

What did fin1te find? The researcher found a way to create a URL on, redirected to allocate his specially crafted file from the content delivery network (CDN). Em outras palavras, he succeeded in uploading a hidden script to the CDN, and retrieving it with the help of an innocently masqueraded link.

Once clicked by a user, the script would run in the browser like it was an official Facebook script. If the user is logged in, the crafted script could do practically anything the user would do – post messages, fotos, get access to private data, etc.

Having in mind how a social network works, such scripts could easily go viral, in a negative aspect. That is why an attack involving an XSS bug could be referred to as a worm-like threat. It can be deployed to spread itself automatically across any network, thus turning into a network worm or virus.

The XSS bug was fixed almost immediately after the researcher reported it to Facebook. Não obstante, he waited half a year to make it public so that Facebook security engineers have enough time to implement a better solution. He was awarded $7500.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerenciador de conteúdo que foi com SensorsTechForum desde o início. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Compartilhar no Twitter chilrear
Compartilhar no Google Plus Compartilhar
Partilhar no Linkedin Compartilhar
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Partilhar no StumbleUpon Compartilhar