XSS (Cross Site Scripting) Attack on Facebook

Facebook Hacked and Redirects to Myspace.com

One of my most recent interest has been web security with the continued of web 2.0 and the internet as a platform for web applications such as Facebook. Whenever you choose to accept input from users visiting your website you must address the security issues associated with this.

Today it appears there has been some sort of a persistent XSS attack on the highly popular Facebook site. I first came to discover this when I went to one of my websites, CycleSteals.com, and viewed a page that I had put the Facebook “like” button on. This is simply an iframe hosted by Facebook. The problem was that upon viewing my page it would redirect to Myspace.com. At first I thought it may have been an isolated incident of maybe one of the deals having some code that was copied from another site that was vulnerable to an attack. After further investigation I noticed that it happened on ALL pages that had the like button.

Let me explain the magnitude of this. EVERY website on the internet that uses the Facebook like button will automatically be forwarded to Myspace.com. Everyone trying to navigate to Facebook.com through the internet will be forwarded to Myspace.com.

The┬árepercussions are unimaginable. Not only does Facebook lose it’s daily traffic that they depend on to advertise to, Myspace’s servers are getting hit HARD! They are getting their normal traffic, plus all the traffic coming from Facebook, plus all the traffic from every other webpage on the internet that has the like button embeded using the iframe method.

It’s a beautiful day here in Southern California and I’d hate to be on the development team of Facebook and get the call that says get home and get to work to fix this!!!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s