First of all: Don’t expect something bombastic or critical. This is just some stuff I discovered and want to share with you, but you won’t be able to exploit the vulnerability (at least not in a very critical manner).
Facebook was already contacted weeks ago by me but they were not interested in my “report”. After having looked closer, I found out that other people already made use of this vuln, but they did not publish it since it is not critical.
Injecting HTML code into Facebook
If you use Facebook you probably know the search field at the top of the screen. When you type in something the first eight results get displayed before you even hit the submit button:
As you can see, the string you are typing in gets copied and displayed at the end of the top eight search results at the same time: “See More Results for internet”
This means that your search string somehow gets “parsed” while you are entering it. So why not using some code
As you can see the HTML code gets injected into the Facebook search field box.
While playing around a little bit I discovered a WTF thing. Enter <style src= and look at what’s happening:
Suddenly the whole page screws up and you get redirected to PLURK, another social media network, immediately:
Include external scripts and websites into Facebook
Many people being interested in security think that injecting HTML code into a web app is some sort of XSS. In my eyes, it is harmless as long as you can’t exploit this “vuln” by crafting a typical XSS link. But wait, what if we can force the Facebook search box to include external scripts and websites if an user searches for a specific term?
As you can see, embedding an iframe into Facebook is possible (and very easy). This works the following way: If you type in something into the search box which is known to Facebook (e.g. the name of one of your buddies or an existing group) the search tool completes the search string for you and displays some results. So in this case, a group called iframe is existing and the search app completes the search string and parses the result as HTML.
Hm. What if you create a group called <iframe src=http://www.some-malware-site.tld/></iframe> and start typing in “iframe” into the search box?
Whoops! Milw0rm.com gets included into Facebook. Well, still not dangerous.
How to exploit this
You can exploit this by e.g. creating a group with a well known keyword and HTML / Java Script code so the stuff gets included when someone searches for a popular thing (group, game .. etc.). Example:
Create a group called “soccer <iframe src=your-malware></iframe>” and have a look if the iframe gets included.
It is also possible to inject external Java Scripts, so when you have enough imagination and time you definitely will be able to include external Java Scripts and make them appear when someone types in a specific search string.
And then the funny vuln becomes a little bit critical.
Before I knew that other people also discovered this, I contacted Facebook weeks ago and made them aware of the issue. Sadly they were not interested in my “report”. After having received multiple default replies (like “we are sorry you face issues with your account”) I insisted on at least fixing it, but well, I got this final mail:
Please refer to our Help Center for answers to common questions, solutions to technical issues, and feedbackfrom other Facebook users. You can reach the Help Center (http://www.facebook.com/help.php) by selecting “Help”at the bottom of any Facebook page
I also tried to report it at the official Facebook security group (view the “white hat” tab) but well, no serious reaction came. I guess they are simply not interested in fixing it.
Other XSS vulns
I am one of the guys who thinks that when you have access to such an high amount of resources (much money, many good and skilled employees) your website and web apps should be secure. Sadly I was wrong, when you look closer you will find many XSS vulnerabilities on Facebook. In addition, many Facebook apps (being developed by external companies and individuals) are vulnerable in many ways: SQL Injection, XSS.. etc.
Having understood this, I now recommend not to reveal too much sensitive information about yourself on Facebook. Like other social networks, Facebook is not perfect and many security leaks are existing. Be careful!
Information about this blog post
I wrote this post in order to make the people aware of those issues (educational purposes). But I don’t want to motivate you to cause any damage, to harvest user data or to inject code into Facebook apps. Don’t do that
A txt report was also created, view it here if you like.
Update from 10th April 2010: Facebook finally fixed several XSS vulnerabilities.