Posted by: David Harley | November 17, 2011

Facebook, what’s a “self-XSS vulnerability”?

My friend and colleague at ESET, Aryeh Goretsky, has followed up on his earlier post Much Ado About Facebook, on Facebook, the Fawkes virus, and the recent epidemic of offensive material, with a Part II post in which he reminded me of an interesting point. (Actually, several interesting points, but this one struck a particular chord with me.)

Facebook have described the root cause of the problem as:

 a “self-XSS vulnerability” caused by their users pasting malicious JavaScript into their web browsers’ address bars. 

I’m not convinced that Facebook’s rather sparse information to date is the whole of the story. But there is an indication of how that might have been accomplished on a Sophos blog here

Which is slightly ironic, given Facebook’s attempts to counter Sophos criticism of FB’s inconsistent performance at dealing with Facebook-specific threats. 

And we’re still waiting to see Facebook talk directly to its users about all this, if only through the Facebook Security page

David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: