{"id":186,"date":"2008-03-06T21:16:29","date_gmt":"2008-03-07T05:16:29","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/2008\/03\/06\/facebook-and-xss-a-sample-in-action-p\/"},"modified":"2008-03-06T21:16:29","modified_gmt":"2008-03-07T05:16:29","slug":"facebook-and-xss-a-sample-in-action-p","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2008\/03\/06\/facebook-and-xss-a-sample-in-action-p\/","title":{"rendered":"Facebook and XSS &#8211; a sample in action! :P"},"content":{"rendered":"<p>Today, I checked Facebook and got a spam wall post. I suspected it was an FB API + XSS exploit and looked into this matter. What a coincidence with the new project! =P<\/p>\n<p><a href=\"http:\/\/www.facebook.com\/wall.php?id=10700817\" title=\"my wall... with the xss spam\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/students.washington.edu\/chrt00\/fbxss.jpg\" alt=\"my wall!\" height=\"682\" width=\"439\" \/><\/a><\/p>\n<p>So after the first Google result I get a complete rundown on how to XSS exploit someone&#8217;s account.<\/p>\n<p><a href=\"http:\/\/www.cs.virginia.edu\/felt\/fbook\/facebook-xss-censored.pdf\">http:\/\/www.cs.virginia.edu\/felt\/fbook\/facebook-xss-censored.pdf<\/a><\/p>\n<p>turns out it is fairly simple to execute!<\/p>\n<p>This shows how even some of the most trusted sites where we share a lot of information can be manipulated to do malicious things. This is one of the real weaknesses of social networking and a open applications API, as javascript works across a whole page without private\/public members that we are accustomed to in traditional OOP.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today, I checked Facebook and got a spam wall post. I suspected it was an FB API + XSS exploit and looked into this matter. What a coincidence with the new project! =P So after the first Google result I &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2008\/03\/06\/facebook-and-xss-a-sample-in-action-p\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":34,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[129,130,128],"class_list":["post-186","post","type-post","status-publish","format-standard","hentry","category-current-events","tag-facebook","tag-social-networking","tag-xss"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/186","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/34"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=186"}],"version-history":[{"count":0,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/186\/revisions"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}