Admin Admin
Jumlah posting : 229 Points : 672 Join date : 02.04.11
| Subyek: JavaScript hole in Facebook Thu Apr 07, 2011 10:00 pm | |
| [You must be registered and logged in to see this image.] - Quote :
- Facebook made some important changes to the way in Facebook Pages, the fan pages set up by brands, bands and even cucumbers could be created.
In the past the tabs which could be added to these pages have been set up in two ways; the first used the Facebook FBML app. This allowed page tabs to be created using static Facebook Markup Language (FBML) or HTML, it wasn’t particularly engaging but it was very simple to use. The second method for creating page tabs was by adding a custom Facebook app inside a standard FBML tab. This meant the custom app could request external data from a third party and display it inside the page tab. This content though was subject to many technical limitations, as it was all proxied through Facebook which broke many things including tracking pixels, JavaScript and Flash.
So what is the big change? Well Facebook now allow iframes to be included inside Facebook apps on page tabs, meaning that all that Facebook proxying can be avoided. While this is no doubt great news for legitimate developers it will undoubtedly make life for those with malicious intent much easier too.
It is now possible to set up a Facebook page, create a default landing tab (the one you first see when you visit the page) and include an app that contains an iframe. That iframe can for example contain JavaScript which immediately and without user interaction redirects you to any site it chooses. Say for example a page containing Fake AV or a page where an exploit kit is waiting to silently infect you with malware.
No more likejacking required, no more having to persuade users to install your app, if a criminal can make the bait sweet enough just to get you to visit the page, that is all they will require to start the chain that leads to your computer being compromised and used for criminal purposes.
Of course Facebook ask their developers to agree to a code of conduct that prohibits such activities, but when it comes to criminals, that’s a bit like taking a driving license away from a joyrider.
I have informed Facebook of this oversight in their new functionality and will update this blog posting if I hear back from them.
Thanks to Stig Edvartsen for his eagle-eyes and Heidi Obschil-Müller for the iframe
Source: [You must be registered and logged in to see this link.] | |
|