Facebook also introduced Public Canvas Pages.
“Facebook now offers applications the ability to serve canvas pages to users not currently logged in to either Facebook or the application, or the user hasn’t agreed to the Terms of Service for the application.”
This means with a successful attack an app could exploit all users not just those who have already joined our facebook app.
FBJS allows us DOM Element Traversal with functions like getElementById and getChildNodes. This allows us to get info from any object in our canvas sandbox, even those rendered by facebook.
###Info Disclosure: Lets say we use a “Public Canvas Page”, and want want to get info about users who have not yet added our app. We will use the following FBML:
We use 2 FBML tags “fb:profile-pic”, and “fb:multi-friend-selector”. FBJS does not allow us to access these elements directly, but because we wrap them in a div that we created we can use the element traversal functions:
Reading information is one thing but we really want full control. Facebook does allow us to use flash with the Fb:swf tag, but they render the embed tag for us and always include the allowscriptaccess=”never” to prevent unwanted script access from flash. They do however provide: Fb:fbjs-bridge. This allows you from flash to comunicate with FBJS and FBML.
The problem is this item is rendered inside our canvas area therefore the attack mentioned above can be used to actually change the src (with setSrc which i assume is meant for IMG tags) of the “bridge” flash to an swf file owned by us giving us unrestricted script access.
HTML / JS: