Facebook Spam Worm Propagates via Persistent XSS Vulnerability

A Facebook cross-site scripting vulnerability was exploited by hackers to create an XSS worm with the purpose of spamming weight loss products.

According to security researchers from Symantec who analyzed the attack, the persistent XSS vulnerability leveraged was located somewhere in the application publishing form.

This allowed attackers to permanently inject malicious JavaScript code into rogue Facebook app pages.

Because the resulting pages were hosted under Facebook.com, the rogue code was executed by the browser in the context of the domain.

This allowed attackers to piggyback on the sessions of authenticated users and abuse them to perform unauthorized actions.

Links to the rogue pages were being distributed via private messages that read: "Hey, What the hell are you doing in this video? Is this dancing or what?? lol [link]"

Users who visited them saw a fake Flash Player update and were asked no to interrupt the process. This was used as a distraction to buy time for the real attack to execute.

While the users were waiting, in the background the malicious JavaScript code obtained their user IDs and forced their browsers to post status updates that promoted weight loss products and free iPads.

"Those spammed links point to harmless but annoying pages. Visiting those sites will not infect your profile, at least not at the time of writing this article," the Symantec researchers wrote.

The injected code also read people's list of friends and sent them private messages, like the one previously mentioned, in order to propagate.

Even though in this case it wasn't used for a malicious purpose, this type of attack is definitely more dangerous than the usual survey scams or clickjacking tricks employed by Facebook spammers.

Fortunately, finding a constant stream of cross-site scripting vulnerabilities for use in attacks on a site like Facebook is very impractical, if not impossible, so it's unlikely this technique will become widespread.