14 DAY TRIAL // The XSSed project made public four different cross-site scripting vulnerabilities discovered by individual security researchers. The flaws affect the developers, applications, user registration, and iPhone login pages.
The XSSed project is an important source of information regarding cross-site scripting (XSS) attacks. The project also maintains an archive of websites affected by XSS vulnerabilities. Dimitris Pagkalos, one of the project's founders, describes these newly discovered Facebook bugs as being highly critical, because they can be exploited “to infect millions of Facebook members with malware, adware and spyware.”
Mr. Pagkalos' estimation is warranted by the fact that, according to Alexa, Facebook currently has a global page traffic rank of 5, and on average is reached daily by over 12.5% of the total number of Internet users. In addition, according to the researchers, three out of four different pages found to be vulnerable were already compromised. The developers.facebook.com page is the only one not listed as XSSed in the project's archive.
Even though at the time of writing this article the vulnerabilities were not tagged as fixed by the XSSed project, it is very likely that the Facebook staff will deal with them quickly. “Facebook staff usually fixes such flaws promptly,” Pagkalos points out.
Cross-site scripting vulnerabilities allow attackers to inject malicious code into legit web pages and profit from their popularity in order to distribute malware, hijack user sessions, launch phishing campaigns, or perform other types of attacks. According to MITRE's CVE vulnerability trends, XSS are currently the most widely spread flaws.
However, even though thousands of websites get compromised through cross-site scripting every day, XSS is not the preferred method of attack on social networking websites. As proven by the success of the Koobface worm that has been plaguing Facebook since July, using pure social engineering tactics for propagation can be much more efficient than relying on a particular flaw that can be fixed rather quickly. Another good example is the very recent hi5 phishing campaign.
This doesn't mean XSS flaws are not dangerous and should be treated lightly. Combined with critical vulnerabilities in other popular software, such as the recently discovered and unpatched Internet Explorer bug, they can cause serious damage. Adding to that equation the high profile of many unpatched websites listed in the XSSed archive, like governmental agencies, financial and health institutions, or large organizations, only makes things worse. A good example is the phishing attack affecting Yahoo! HotJobs users, which used XSS.