14 DAY TRIAL // Security researcher Nir Goldshlager, the CEO and founder of penetration testing company Break Security, has identified several persistent cross-site scripting (XSS) vulnerabilities in Facebook. The vulnerabilities have been confirmed and fixed by the social media company.
The security issues plagued services such as Facebook Chat, Facebook Messenger and Facebook Check In.
“These findings are almost always interesting if you happen to find them in the right location,” Goldshlager wrote in a blog post.
“For instance, what would occur if the Malicious Stored XSS Payload ran on the victim every time they checked in? You could also inject the Payload into the Facebook Chat Screen, which could be really interesting.”
According to the researcher, an attacker could exploit such vulnerabilities in two ways. One would be to let victims access the stored XSS payload on their own.
The second method involves exploiting the flaw in such a way that would ensure that the payload would be executed each time the victim visited one of the pages set up by the attacker.
The XSS issue in the Chat feature existed because Facebook didn’t verify if the “attachment[params][urlinfo[final]” parameter for the “post message” request was a legitimate link. An attacker could have exploited this to make malicious requests.
In order to exploit the Check In vulnerability, an attacker would have needed to create a new location within Facebook Pages.
Goldshlager found that an attacker could have entered a malicious script into the information fields, making sure that the payload would be executed each time someone checked in to the newly created location.
Finally, the Facebook Messenger bug, which affected only Windows users, could have been leveraged by cybercriminals to execute the stored XSS payload each time the victim logged into Facebook Messenger.
Additional technical details of these security holes can be found on the Break Security blog.
Here is the video that demonstrates the existence of the stored XSS vulnerability in Facebook Chat:
Here is the one that shows the existence of the security hole in Facebook Messenger: