Homepage tabWindows tabGames tabDrivers tabMac tabLinux tabScripts buttonMobile tabHandheld tabGadgets tabNews tab


NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home / News / Security

Security

New Critical XSS Flaw Plagues Facebook

The password reset page is affected

By Lucian Constantin, Web News Editor

5th of January 2009, 15:08 GMT

Adjust text size:


Facebook password reset page open to phishing attacks
Enlarge picture
A new cross-site scripting vulnerability affecting the Facebook social networking website has been disclosed on the XSSed project's website. The flaw allows for injection of potentially malicious code.

The XSSed project tracks XSS vulnerabilities and its archive contains over 30,000 of documented such flaws affecting hundreds of highly popular websites. It is also a good source of information regarding the prevention and mitigation of cross-site scripting attacks. The XSSed report credits security researcher DaiMon with the discovery of this latest threat.

According to Alexa, Facebook currently has a global page rank of 5 and, as Dimitris Pagkalos, one of XSSed Project's co-founders, points out, this significantly increases the flaw's attack potential. “Malicious users can inject code to phish credentials and other sensitive personal information from millions of Facebook members,” he explains.

This is not the first time that major XSS bugs are discovered in Facebook's pages. Less than a month ago, we reported four similar flaws affecting the Facebook developers, applications, user registration, and iPhone login pages. The XSS vulnerability on the apps.facebook.com page in particular was also discovered by DaiMon.

Analyzing DaiMon's history on the XSSed website suggests that he is also credited with the discovery of XSS flaws that affected many high profile pages belonging to Yahoo, ICANN, AVG, Symantec, Panda Security, Citibank, Unicef, UEFA, WorldBank, Harvard, Ericsson, Motorola, Siemens, Samsung, and Mozilla, just to name a few. An impressive number of governmental and military sites are also on his list of vulnerable pages.

At the time of publishing this article, this latest XSS vulnerability that affects Facekbook's password reset page was not yet fixed. However, Dimitris Pagkalos' statement might be an indication that there is a good chance of Facebook acting promptly. “We hope that this serious flaw gets fixed quickly as is usually the case with security flaws in Facebook,” he says.

According to MITRE's CVE vulnerability trends, cross-site scripting bugs are currently the most common and widely spread security threats, and literally thousands of new pages get exploited everyday in order to launch a wide variety of attacks. Such flaws are often combined with other types of vulnerabilities, in order to instrument more complex and harder to track schemes.

TAGS:

 XSS vulnerability | cross-site scripting | XSSed Project | password reset | Facebook
Read by 2,688 user(s) | Add comment | Link to this article TWEET THIS


Article rating:
Good (3.0/5) 2 vote(s)    

Subscribe to news | Print article | Send to friend

© Copyright 2001-2009 Softpedia
Contact:

 

 

SEARCH THE NEWS ARCHIVE :




Today's News | Yesterday's News | News Archive


MORE RELATED ARTICLES:


Four Critical Facebook XSS Flaws Discovered

Facebook Worm Active Again

Facebook Worms Use Google Services

American Express Fails to Promptly Address XSS Flaw

Phishing Attack Uses Yahoo HotJobs XSS Vulnerability

Phishing Campaigns Spotted on Twitter

Google Calendar Phishing Scam Resurfaces

New Hi5 Phishing Campaign

User opinions:


Comment #1 by: melody gambe on 06 Jan 2009, 08:02 GMT reply to this comment

Im one of those affected now i can not reset my password and im even failing to socialise wih my friends.


Comment #2 by: Lucian Constantin on 06 Jan 2009, 15:30 GMT reply to this comment

If you don't have access to your account and cannot reset the password, because you don't have access to the e-mail address associated with your account, please use the form located at http://www.facebook.com/help/login.php

Share your opinion:

Your Name:
Your Email Address:
(will not be used for commercial purposes)
Solve this to prove you're not a bot: =
Your review/opinion:

 




Windows tabGames tabDrivers tabMac tabLinux tabScripts tabMobile tabHandheld tabGadgets tabNews tab

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   ENTER NEWS SITE   |   ENGLISH BOARD   |   ROMANIAN FORUM
© 2001 - 2009 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use | Update your software | Archive