The Facebook Translations tool’s search feature was vulnerable to a simple reflected XSS attack.
How did it work?
The Translations tool allows users to perform phrase searches within translations. In this case, when a search query returned 0 results, the script displayed a message (“Your search for “YOUR PHRASE HERE” did not match any results.”) which contained unsanitized user input (the search query).
Why is this important?
The XSS vulnerability was on Facebook.com. An attacker could have used it to access or change information on people’s accounts.
Despite Facebook’s claims that they’ve eliminatedXSS vulnerabilities, it’s clear that some portions of the site are better protected than others (ie: Translations was probably not using XHP). Lesser used portions of the site, like the Translations tool, are often the most vulnerable since they’re not updated as often or tested as frequently.
I want to thank Facebook for responding to my report and fixing the vulnerability in a timely manner. I especially want to thank them for their support of responsible disclosure and their general policy toward whitehat security researcher.