Nir Goldshlager, Founder/CEO at Break Security known for finding serious flaws in Facebook once again on The Hacker News for sharing his new finding i.e Stored Cross-site Scripting (XSS) in Facebook Chat, Check In and Facebook Messenger.
Stored Cross-site Scripting (XSS) is the most dangerous type of Cross Site Scripting. Web applications where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc
1.) Stored XSS In Facebook Chat: This vulnerability can be used to conduct a number of browser-based attacks including, Hijacking another user's browser, Capturing sensitive information viewed by application users, Malicious code is executed by the user's browser etc.
When a user starts a new message within Facebook that has a link inside, a preview GUI shows up for that post. The GUI is used for presenting the link post using a parameter i.e attachment[params][title],attachment[params][urlInfo][final] , which was not actually filtered for valid links by Facebook.
For proof of concept, Goldshlager exploit this flaw in a way, that each time the victim clicks on this malicious message in Facebook Chat, the Stored XSS will begin to run on their client, as shown:
2.) Stored XSS In Facebook Check-In: The other major and an interesting Stored XSS that Nir reported is in the Facebook Check-In Screen. To exploit this loophole the attackers needs to first construct a new location within Facebook Pages and then, the attacker must change the settings in those new location. When the victim later decides to go to the place the attacker has been, a Stored XSS will run client-side.
3.) Stored XSS In Facebook Messenger (Windows): 3rd and serious flaw in Facebook is capable of injecting a Stored XSS Payload in Facebook Messenger for Windows. Any time the victim sign in into their account in the Messenger, the Stored XSS code will execute on victim's end.
Bugs was reported to Facebook last month by Nir and already patched by Facebook security team.
Old Finding by Nir:
Old Finding by Nir: