In association with heise online

27 May 2008, 14:25

Cross-site scripting hole in Facebook closed

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Facebook, the second largest social networking site, was vulnerable to cross-site scripting attacks up to the end of last week. It was possible to inject and execute malicious JavaScript on user browsers. Attackers were reportedly able to redirect visitors to infected websites automatically or steal login information.

The flaw has been fixed, but a demonstration can still be found in the archive of the "XSSed Project". An estimated 70 million users were vulnerable to attack, but it is unclear whether the flaw was ever actually exploited. Facebook thus turns out to be just as unsafe as other such popular portals as MySpace and Orkut.

For some time now, attackers have been making use of the popularity of certain websites to distribute their malicious code among surfers. Criminals recently injected JavaScript code into the website of Germany's Channel One (ARD), redirecting visitors to sites that exploited flaws in browsers to infect their systems.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit