14 DAY TRIAL // A Facebook cross-site scripting (XSS) vulnerability was used to launch a self-propagating spam worm on the social network, according to security researchers from Symantec.
The XSS vulnerability was located in the Facebook mobile API and was caused by insufficient JavaScript validation.
In order to exploit it, attackers created a Web page containing a specially crafted iframe element that forced all logged in Facebook users visiting it to post rogue messages on their walls.
By crafting the spammed message to lure users into visiting the malicious site, the hackers were able to create a self-propagating worm.
The Symantec experts say the vulnerability was exploited in more limited attacks before being used to launch the worm, but also note that more copy cats followed the initial wave.
Some browsers have anti-XSS filters built-in by default, but they are not very efficient. The only one that can block a significant number of attacks is included in the NoScript Firefox extension.
XSS worms used to be quite frequent in 2009, however, social media websites have since gotten better at preventing such attacks.
Nevertheless, some continue to pop up from time to time. Actually, the last one launched on Facebook occurred earlier this month and was used to spread weight loss spam.
In October last year, French security researchers demonstrated two information stealing worms that worked by exploiting cross-site request forgery and cross-site scripting vulnerabilities on Facebook.
According to Symantec's Candid Wueest, Facebook has since addressed the vulnerability. "Facebook has informed us that they have patched this XSS vulnerability. In addition, they are currently working on steps to remediate damage caused by the attacks," he says.
Last year Twitter was hit by a massive and more resilient XSS worm that locked hundreds of thousands of users out of their accounts.