:: General information
:: Having fun with the Facebook search box
:: by Valentin Hoebel
:: valentin@xenuser.org

:: Product information
:: Name = Facebook search app
:: Vendor = Facebook
:: Vendor Website = http://www.facebook.com


:::::::::: About this document
First of all: Don’t expect something bombastic or critical. This is just some stuff I discovered and want to share with you, but you won’t be able to exploit the vulnerability (at least not in a very critical manner).

It seems that I am not the first one to discover this, so don't credit me. I don't want to cause any damage and don't want to motivate you to inject code into Facebook. This is just for educational purposes.


:::::::::: About the "vuln"
Facebook is the fastest growing social media networking website and millions of people reveal their personal information there.
In the past, several XSS vulnerabilities were found. In additional, many Facebook apps being developed by external companies and private individuals contained (and still contain) SQL injection vulns.

Another possiblity of injecting HTML and Java Script into Facebook is the search field at the top of the screen. When you type in something the first eight results get displayed before you even hit the submit button (e.g. type in "Internet"). As you can see, the string you are typing in gets copied and displayed at the end of the top eight search results at the same time: “See More Results for internet”

This means that your search string somehow gets “parsed” while you are entering it.

Using HTMl code is possible. Try the following things:
<img src=
<br><br><br><br>
<textarea

It works the following way:
If you type in something into the search box which is known to Facebook (e.g. the name of one of your buddies or an existing group) the search tool completes the search string for you and displays some results. So in this case, a group called iframe is existing and the search app completes the search string and parses the result as HTML.

When you try this
<iframe
or only
iframe
an iframe gets implemented.


:::::::::: How to exploit this
The search box only auto completes stuff which is known, so creating a group with HTML or Java Script code as it's name is possible.
E. g. create the following group:
<iframe src=http://milw0rm.com></iframe>

Afterwards go back to the search box and type in:
<iframe
As you will see, the milw0rm site gets displayed within Facebook.

It is also possible to inject external Java Scripts, so when you have enough imagination and time you definitely will be able to include external Java Scripts and make them appear when someone types in a specific search string.


:::::::::: Facebook's reaction
Facebook was contacted weeks ago but only default support replies were received. They don't seem to be interested in fixing this.


:::::::::: Full report 
http://www.xenuser.org/2010/04/02/having-fun-with-facebook/