Facebook fb:silverlight stored XSS

Overview

Facebook is a free-access social networking website with over 100 million active users. Facebook allows anyone to develop web applications to be used on the site with the Facebook Platform. The Platform includes a markup language called FBML and a sandboxed, specialized flavor of JavaScript called FBJS.

A persistent XSS vulnerability was found in way fb:silverlight FBML tag is processed. The tag is used to embed Microsoft Silverlight content in Facebook pages. JavaScript can be injected in the tag so that it runs when the page in question is viewed.

An attacker exploiting the vulnerability could take control of the victim user’s web browser to do any operations on Facebook he/she could do, including read or manipulate personal information stored on Facebok, access Facebook’s internal e-mail messages, send such messages impersonating the user, friend list manipulation, installation of Facebook applications, posting messages on “walls” or other public forums, etc.

The method would allow creating a JavaScript worm or virus. In this scenario, users viewing an infected profile, wall post, internal e-mail message, or application page would get infected without other user interaction. The script could get automatically, quietly injected in their profile and spread on to any visitors’ profiles.

Facebook has fixed the problem this week. However, four other vulnerabilities of roughly similar impact remain at the time of writing.

Details

The fb:silverlight FBML tag looks like the following:

  <fb:silverlight silverlightsrc="http://src.site/silverlight"
   width="400" height="300" />

The Facebook Platform processes this into a piece of HTML code containing an embed or object tag, plus a piece of JavaScript initializing the Silverlight object, resembling the following:

 var parentElement = document.getElementById("silverlightControlHost");
 createSilverlightControl("http://src.site/silverlight", "400", "300");

The framework encodes the parameters correctly when it comes to the HTML part, but a trailing backslash in the widh or height paramer causes syntactical problems in the JavaScript part. Thus, the following FBML tag:

 <fb:silverlight silverlightsrc="a" width="\"
 height=",any_javascript_code_here);//" />

would produce the following JavaScript on the resulting web page:

 var parentElement=document.getElementById("silverlightControlHost");
 createSilverlightControl("a", "\", ",any_javascript_code_here);//");

An attacker can then place arbitrary JavaScript code in the function argument e.g. using eval() or an inline function.

Vendor response

In total five vulnerabilities of roughly the same impact were found during the few days after June 13th, 2008. Facebook development team was notified of the first one on that day and the others when they were discovered. The vulnerability described here appears to have been fixed during the following days. The others seem to remain at the moment.

Facebook’s response was an e-mail stating “We are aware of the problems that you described and hope to resolve them as soon as possible.” It is unclear if Facebook has been aware of all the issues prior to my reports as my queries concerning this haven’t been replied.

Credits

The vulnerabilities were found and investigated by Jouko Pynnonen, Finland.