VIDEO: Discovered XSS on Facebook can lead to account hijack

Facebook rates as the second most popular website on the internet with 400 million active users. When such a website has common web application security flaws, they are going to be abused for one’s gain. When we came across an obvious cross-site scripting vulnerability, we decided to show that an attacker could do that.

The below video shows how an attacker may exploit a cross-site scripting vulnerability on regardless of the HTTPOnly cookie protection used. Of course, this goes way beyond showing an “alert()” popup in Javascript, since the attacker is also able to hijack the victim’s Facebook account. We also published an article to explain in more technical detail the works behind abusing this Cross-Site scripting vulnerability on Facebook.

Click here for high quality version of this video (opens a new window)

We worked with Facebook to make sure that this vulnerability is fixed. We would like to thank their security team for quickly fixing it.

Share this post
  • How is this an XSS attack?

    It looks more to me like its an CSRF attack….

  • Leave a Reply

    Your email address will not be published.