Posted by: David Harley | November 17, 2011

Facebook, what’s a “self-XSS vulnerability”?

My friend and colleague at ESET, Aryeh Goretsky, has followed up on his earlier post Much Ado About Facebook, on Facebook, the Fawkes virus, and the recent epidemic of offensive material, with a Part II post in which he reminded me of an interesting point. (Actually, several interesting points, but this one struck a particular chord with me.)

Facebook have described the root cause of the problem as:

 a “self-XSS vulnerability” caused by their users pasting malicious JavaScript into their web browsers’ address bars. 

I’m not convinced that Facebook’s rather sparse information to date is the whole of the story. But there is an indication of how that might have been accomplished on a Sophos blog here

Which is slightly ironic, given Facebook’s attempts to counter Sophos criticism of FB’s inconsistent performance at dealing with Facebook-specific threats. 

And we’re still waiting to see Facebook talk directly to its users about all this, if only through the Facebook Security page

Small Blue-Green World/AVIEN
ESET Senior Research Fellow

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: