Facebook cross-site-scripting exploit uses “bully video” to deliver a sophisticated payload
A security researcher discovered a new cross-site scripting (XSS) vulnerability on, days after the social networking giant patched a different XSS flaw in its mobile API. At least one active scam is exploiting the new bug at this time.
“Found another instance of that Facebook app XSS – and it’s a Facebook XSS issue. Do not click links involving a video of a bully,” Joey Tyson, a security engineer at Gemini Security Solutions, posted on. Tyson writes about social networking sites’ privacy and security issues on his blog, Social Hacking.
The app can post the link to the “video” on the user’s Wall, add the user to a scam event and send invites to the event to friends, and send out the link on Facebook Chat.
Many past Facebook scams displayed a page and told users to download a plugin – really malware – to view the video, or just redirected users to a survey or another malicious site. Viewers rarely saw the video they had clicked to see.
Facebook has informed Tyson that it is tracking the attack and will be pushing out an update “soon”, according to Tyson. Facebook has removed several of the apps already, which made it a little challenging for Tyson to find an active scam to analyse. He pasted the actual exploit code on text-sharing site Pastebin which pointed to a video titled “Pal Pushes Bully”.
A malicious app called “April Fools Prank” identified byengineer Ashish Bhatia on his personal blog appears to have used the same exploit, according to Tyson.
Users on Facebook who click on a link and land on an app page with an embedded video should not click on the video, Tyson warned. Infected users should check “liked” pages for any rogue sites and reset their passwords.
Tyson confirmed to eWEEK on Twitter that this flaw was different from the mobile API XSS flaw that Facebook patched on March 31.
“There is no other user interaction required, and there are no tricks involved, like clickjacking. Just visiting an infected website is enough to post a message that the attacker has chosen,” said Wueest
Symantec advises users to log out of Facebook when they are not actively using it or to use script-blocking add-ons to prevent these kinds of attacks.