VIDEO: Discovered XSS on Facebook can lead to account hijack
Facebook rates as the second most popular website on the internet with 400 million active users. When such a website has common web application security flaws, they are going to be abused for one’s gain. When we came across an obvious cross-site scripting vulnerability, we decided to show that an attacker could do that.
The below video shows how an attacker may exploit a cross-site scripting vulnerability on Facebook.com regardless of the HTTPOnly cookie protection used. Of course, this goes way beyond showing an “alert()” popup in Javascript, since the attacker is also able to hijack the victim’s Facebook account. We also published an article to explain in more technical detail the works behind abusing this Cross-Site scripting vulnerability on Facebook.
Click here for high quality version of this video (opens a new window)
We worked with Facebook to make sure that this vulnerability is fixed. We would like to thank their security team for quickly fixing it.
[...] com o esse vacilo foi divulgado pela Acunetix um artigo técnico e o video abaixo apresentando um ataque de XSS no site do [...]
[...] releases video and technical article about an exploitable XSS on [...]
How is this an XSS attack?
It looks more to me like its an CSRF attack….