Facebook open JavaScript hole

Used under creative commons from Editor B Flickr photostream

Yesterday Facebook made some important changes to the way in Facebook Pages, the fan pages set up by brands, bands and even cucumbers could be created. 
In the past the tabs which could be added to these pages have been set up in two ways; the first used the Facebook FBML app. This allowed page tabs to be created using static Facebook Markup Language (FBML) or HTML, it wasn’t particularly engaging but it was very simple to use. The second method for creating page tabs was by adding a custom Facebook app inside a standard FBML tab. This meant the custom app could request external data from a third party and display it inside the page tab. This content though was subject to many technical limitations, as it was all proxied through Facebook which broke many things including tracking pixels, JavaScript and Flash. 
So what is the big change? Well Facebook now allow iframes to be included inside Facebook apps on page tabs, meaning that all that Facebook proxying can be avoided. While this is no doubt great news for legitimate developers it will undoubtedly make life for those with malicious intent much easier too. 
It is now possible to set up a Facebook page, create a default landing tab (the one you first see when you visit the page) and include an app that contains an iframe. That iframe can for example contain JavaScript which immediately and without user interaction redirects you to any site it chooses. Say for example a page containing Fake AV or a page where an exploit kit is waiting to silently infect you with malware. 
No more likejacking required, no more having to persuade users to install your app, if a criminal can make the bait sweet enough just to get you to visit the page, that is all they will require to start the chain that leads to your computer being compromised and used for criminal purposes. 
Of course Facebook ask their developers to agree to a code of conduct that prohibits such activities, but when it comes to criminals, that’s a bit like taking a driving license away from a joyrider. 
I have informed Facebook of this oversight in their new functionality and will update this blog posting if I hear back from them.
Thanks to Stig Edvartsen for his eagle-eyes and Heidi Obschil-Müller for the iframe

10 thoughts on “Facebook open JavaScript hole

  1. Chris Edwards

    “I have informed Facebook of this oversight in their new functionality”

    If you don’t mind my asking, what was their response?

  2. Pingback: Fake Facebook Security Team phishes passwords from users !!!

  3. Pingback: Dispelling The Myths Of Facebook Privacy And Security

  4. Pingback: Social Media Security » Social Media Security Podcast 23 – Recent Changes to Facebook, Enterprise Social Media Tools, Spokeo

  5. Pingback: Trend Micro Asia Pacific News Library - Facebook open JavaScript hole

  6. Pingback: Social Media Security » Dispelling The Myths Of Facebook Privacy And Security

  7. Pingback: Shadow Security - Facebook lo hace aún peor: ahora permite iFrames

  8. Pingback: Facebook y su seguridad aún peor, ahora permite iFrames | MuySeguridad

  9. Pingback: Facebook lo hace aún peor: ahora permite iFrames |

  10. Pingback: Tweets that mention Facebook open JavaScript hole » CounterMeasures -- Topsy.com

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.