Bug 31270

This vulnerability is with regards to how easy it is to create a XSS + worm + phishing attack without necessarily triggering a non-technical user's security alarm. This could become a common attack vector at any point in time. 1. Create a Facebook group, 'Get $25 from $BANK'. (This works for any social networking site.) 2. Provide simple, easy-to-follow directions that will walk the person through using a "javascript:" URL, causing the user to create their own XSS hole in the social networking web application. 3. Use your new access to help promote the group in a worm-style manner, in a TRUSTED ENVIRONMENT: "Your friend Joe Smith has invited you to join the group, 'Get $25 from $BANK'." Non-malicious examples of 1-3 in the wild: -> http://www.facebook.com/group.php?gid=170096529644&v=info -> javascript:var numfriends=document.getElementById('friends').getElementsByTagName('li').length;fs.click(document.getElementById('friends').getElementsByTagName('a')[1].parentNode);for(var i=0; i < numfriends; i++){fs.click(document.getElementById('friends').getElementsByTagName('a')[i].parentNode);} 4. Add a script loader into the "javascript:" URL. Any will do. -> http://www.nczonline.net/blog/2009/07/28/the-best-way-to-load-external-javascript/ 5. Use the script loader to load http://www.example.com/maliciousscript.js which mutates the DOM (blows everything away)--without making a page request--and turns it into a phishing site. *** <FIXABLE PROBLEM> *** 6. Note that the URL still displays the "javascript:" URL. This effectively masks the site that the user is presently on (facebook.com, controlled by example.com/maliciousscript.js). With properly written instructions on the Facebook group the user will implicitly believe that they are on the actual $BANK site in spite of the "javascript:" URL being displayed in the location bar, *because they specifically pasted it there to create the action.* *** </FIXABLE PROBLEM> *** 7. Steal usernames and passwords from thousands of people. Profit.