Original release date: January 8th, 2010
Last revised: February 3rd, 2010
Discovered by: Juan Galiana Lara
Severity: 6.3/10 (CVSS Base Scored)
Facebook is a social networking website that is operated and privately owned by Facebook, Inc. Users can add friends and send them messages, and update their personal profiles to notify friends about themselves. Additionally, users can join networks organized by city, workplace, school, and region. The website's name stems from the colloquial name of books given at the start of the academic year by university administrations with the intention of helping students to get to know each other better.
The mobile interface of Facebook social network is affected by Cross-Site Scripting vulnerability due variable "q" is not properly sanitized in http://m.facebook.com/friends.php.
An attacker can inject HTML or script code in the context of victim's browser, so can perform XSS attacks, and steal cookies of a targeted user.
PROOF OF CONCEPT
An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal user targeted cookies.
This vulnerability has been discovered by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).
January 8, 2010: Initial release.
February 3, 2010: Last revision.
January 2, 2010: Discovered by Internet Security Auditors.
January 9, 2010: Vendor contacted including PoC. No response.
January 11, 2010: Second contact. No response.
January 19, 2010: Third contact. No response. January 20, 2010: Vulnerability corrected without any kind of contact.
January 31, 2010: Response from Facebook Security member requiring info.
February 3, 2010: Sent to lists for public interest.
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.