XSS vulnerabilities discovered in Facebook, closed quicklyFacebook has closed a number of cross-site scripting (XSS) vulnerabilities that left users open to phishing attacks and identity theft.
The vulnerabilities were reported Monday by XSS archival website, xssed.com. The vulnerable Facebook areas included the developer's page, new user's registration page, iPhone login page and the applications page. The vulnerabilities could have been exploited to infect users with malware, adware and spyware, according to xssed.com.
“We take security issues very seriously and these were closed within hours of receiving the reports,” Facebook spokesman Barry Schnitt said in an email. “There haven't been any reports of exploits.”
Researchers Zeitjak, David Wharton, Daimon and p3lo discovered the flaws and posted proof-of-concept code on the xssed website on Monday. Xssed.com security researcher, Dimitris Pagkalos, noted the vulnerabilities yesterday as being “highly critical”.
“The amount of time and effort required to fix an XSS vulnerability largely depends on the organization,” Jeremiah Grossman founder and CTO of WhiteHat Security, said in an email to SCMagazineUS.com Tuesday. “The more familiar they are with the issue, typically, the faster they are able to remediate.”
To protect themselves, users might consider installing the NoScript plugin and exercising additional caution when clicking on Facebook links from non-trusted sources, Grossman added.
XSS vulnerabilities are not new to social networking sites. In October 2005, a MySpace user unleashed an XSS worm called the Samy worm that allowed him to add one million users to his "friend's" list.
Facebook has not been without its share of other security issues. In one of the largest spam-settlements of its type, Facebook last month was awarded $873 million in damages against a junk mailer.
Also, since the summer, a worm called Koobface has been circulating on Facebook, spreading itself through users' friend lists. The virus installs a component that watches infected users' HTTP traffic with the intention of hijacking a user's internet search results.