Results 1 to 6 of 6

Thread: Facebook 3rd Part App Installing Page UI Redressing Vulnerability Share/Save - My123World.Com!

  1. #1

    Facebook 3rd Party App Installing Page UI Redressing Vulnerability

    #Title: Facebook 3rd Part App Installing Page UI Redressing Vulnerability
    Author: Sandeep Kamble
    #Business Risk : Medium Risk
    #Attack Type: UI Redressing Vulnerability
    #Tested Browser: Firefox 3.6.27
    #OS: Win 7 / Linux
    #Reported Date: July 26 , 2011


    Summary
    GDay ! Recently , I have submitted UP Redressing Vulnerability to Facebook. Vulnerability enables attacker to install any 3rd Party malicious application into victim Facebook account.

    Overview
    Clickjacking (UI Redressing )is an exploit in which coding on a malicious website is hidden beneath apparently legitimate buttons.

    The strange part of this testing was Facebook 3rd party App installing page already protected for UI redressing vulnerability. The Protection is perfectly working on chrome , safari , IE & New Version of FF .

    But Facebook 3rd party App installing page UI redressing failed to work on Firefox 3.6.27. So in Firefox 3.6.27 i perfectly iframed page & made a perfect POC Facebook team.

    Code:
    Public POC :


    Special Thanks to FB team to fix this Bug ! My team G4h

    Thanks
    [S] - Sandeep
    Last edited by [s]; 08-04-2012 at 11:12 AM.
    Garage4Hackers bugs for the community , of the community

    We provide IT
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  2. #2
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    Good Job, any idea why the protection was not working on FF, some JS failure ? Do you have the previous Code with you to check how facebook dealt with this issue.
    Hacking Is a Matter of Time Knowledge and Patience

  3. #3
    Quote Originally Posted by fb1h2s View Post
    Good Job, any idea why the protection was not working on FF, some JS failure ? Do you have the previous Code with you to check how facebook dealt with this issue.
    Yes , it was JS Failure ! I have confirmed with Facebook ! I don't have copy of the JS.
    Garage4Hackers bugs for the community , of the community

    We provide IT
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  4. #4
    Web Security Consultant amolnaik4's Avatar
    Join Date
    Jul 2011
    Location
    webr00t
    Posts
    277
    Blog Entries
    4
    very nice bug sandeep.... keep it up

  5. #5
    Quote Originally Posted by amolnaik4 View Post
    very nice bug sandeep.... keep it up
    Thanks Amol , I remember your Click Jacking Talk of Null
    Garage4Hackers bugs for the community , of the community

    We provide IT
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    |
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  6. #6
    Great find, keep it up bro!! Go G4H!
    When the way comes to an end, then change - having changed, you pass through

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •