An attacker exploiting the vulnerability could take control of the victim user’s web browser to do any operations on Facebook he/she could do, including read or manipulate personal information stored on Facebok, access Facebook’s internal e-mail messages, send such messages impersonating the user, friend list manipulation, installation of Facebook applications, posting messages on “walls” or other public forums, etc.
Facebook has fixed the problem this week. However, four other vulnerabilities of roughly similar impact remain at the time of writing.
The fb:silverlight FBML tag looks like the following:
<fb:silverlight silverlightsrc="http://src.site/silverlight" width="400" height="300" />
var parentElement = document.getElementById("silverlightControlHost"); createSilverlightControl("http://src.site/silverlight", "400", "300");
In total five vulnerabilities of roughly the same impact were found during the few days after June 13th, 2008. Facebook development team was notified of the first one on that day and the others when they were discovered. The vulnerability described here appears to have been fixed during the following days. The others seem to remain at the moment.
Facebook’s response was an e-mail stating “We are aware of the problems that you described and hope to resolve them as soon as possible.” It is unclear if Facebook has been aware of all the issues prior to my reports as my queries concerning this haven’t been replied.
The vulnerabilities were found and investigated by Jouko Pynnonen, Finland.