digg

Facebook Connect Join Digg About

Facebook Loophole: i-frames watch!

5min.com Learn how to manipulate Facebooks privacy settings using i-frames and style sheets. NOT intended for malicious use!

Who dugg this? Made popular Nov 27, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

119 Comments

show profanity settings
expand all
  • jus1haz2, on 11/27/2007, -10/+129I wonder if the girl is hot?
  • DeviantDragon, on 11/27/2007, -3/+79Okay the main implication is not that it's "cool" it's that this has tremendous potential for malicious action and abuse. Beware.
  • JARSInc, on 11/27/2007, -3/+45http://xkcd.com/322/
  • NicksVideo, on 11/27/2007, -0/+39http://www.cs.virginia.edu/felt/photo.html
  • diulei, on 11/27/2007, -1/+38If you visit her website detailing her Facebook project, you'll see that they've already fixed this exploit as of August 2007. So this video is a few months old.

    http://www.cs.virginia.edu/felt/fbook/
  • will-rom, on 11/27/2007, -7/+38doesn't matter. she's doesn't even use Adblock. psshhh. what a n00b.
  • dankosaur, on 11/27/2007, -0/+26negative 3 months
  • Archon810, on 11/27/2007, -2/+27No.
  • Bologner, on 11/27/2007, -1/+26Wow, cute as hell.
  • kalleanka, on 11/27/2007, -0/+23From her website:
    "Facebook patched the XSS hole last night. The flaw was located in the fb:swf tag, which is the FBML tag that allows for the embedding of a Flash swf file."

    Seems it's fixed by now.
  • postalblowfish7, on 11/27/2007, -0/+15she's out of your league.
  • richardiscool, on 11/27/2007, -2/+17She's using Safari.
  • Murdats, on 11/27/2007, -5/+19exactly, psshhh. what a n00b
  • arcooke, on 11/27/2007, -0/+13@ DemsFTW - Use the reply link.

    not kidding.
  • vsujohn2, on 11/27/2007, -0/+12Lol, last night as in 2+ months ago
  • Archon810, on 11/27/2007, -0/+1226. It's in the Guinness World Book of Records, you can go check.
  • persecuted, on 11/27/2007, -1/+11Insightful and thought provoking point.
  • voetsjoeba, on 11/27/2007, -0/+9I puked a little when I realized what FBML stands for.
  • skeetshot, on 11/27/2007, -2/+11All your wall post are belong to us
  • michaelothomas, on 11/27/2007, -0/+9Congrats on making the front page of digg Adrienne, who cares if it's like 3 months late...:)
  • echolyean, on 11/27/2007, -0/+8It's not a trick, it's a warning. A lesson, as it were. So yes, it is educational.
  • Mageling, on 11/27/2007, -0/+8Yeah, she's conscious.
  • iziizi, on 11/27/2007, -0/+8Yes, but i cant be bothered. And the exploit was through FIREFOX...

  • plusmedic, on 11/27/2007, -0/+8Yes, far too much. Facebook applications have ruined Facebook enough at is, the last thing it needs is the ability for users to start modifying their profile until it's an ugly, seething, sparkling page of bad design.
  • teh_techie, on 11/27/2007, -0/+5Well, seeing as how they already patched this hole.. never!
  • jserio, on 11/27/2007, -0/+5I'd hit it! I mean, um.
  • phronko, on 11/27/2007, -0/+5Myspace.


    That is all.
  • luet, on 11/27/2007, -4/+9I'm burying this because of what the end of the video said. It will happen.
  • Hixz, on 11/27/2007, -2/+7"Facebook patched the XSS hole last night." posted on 16 August 2007
    http://www.cs.virginia.edu/felt/fbook/

    laugh out loud.
  • merreborn, on 11/27/2007, -1/+6It also says that facebook closed the hole 2 months ago.
  • arcooke, on 11/27/2007, -2/+7Their.

    Would you say "They are tools are terrible"? No.. so don't use "they're".

    English 101. Stay in school.
  • merreborn, on 11/27/2007, -1/+5It was fixed in August.

    http://www.cs.virginia.edu/felt/fbook/
  • UberNick, on 11/27/2007, -1/+5The creator's page with full details on exploit:
    http://www.cs.virginia.edu/felt/fbook/
  • inactive, on 11/27/2007, -0/+4Whoa, that was a close one. I'm glad we have you on the lookout burying things for us so the bad guys don't find out. Meanwhile, it makes the front page.

    P.S. It was fixed in August.
  • UberNick, on 11/27/2007, -0/+4The idea behind the exploit is that facebook's api gives developers a swf tag to play flash movies. Facebook's code will automatically embed an image that links to this swf tag, and external styles can be applied to this image. Good find. I'm sure more exploits will be found in the API.

    An interesting side note for someone with a CS degree interested in security... She posts a "censored" resume on her site that's vulnerable to the same "copy-paste exploit" as government agencies have been getting all kinds of bad press about. Bravo.
  • suprxtragrav, on 12/09/2008, -2/+6sweet -- so i should be able to make hot girls create relationship requests with me amirite?!
  • inactive, on 11/27/2007, -4/+7Saying its not for malicious use surely means..'openly asking for attacks and misuse by idiots' DUMB!
  • Chaulis, on 11/27/2007, -0/+3He has been dug down 27 times, i kinda don't want to dig him down more. 27 seems fitting.
  • RooDoG, on 11/27/2007, -7/+10*Insert sexist digg comment here?*
  • johnwc723, on 11/27/2007, -0/+2I can imagine it doesn't take too many diggs for something from Videos>Educational section to end up on the front page...
  • tomharrow, on 11/27/2007, -1/+3jesus christ - that is a blast from the past!
  • jakash, on 11/27/2007, -0/+2je ne comprends pas :(
  • uracre, on 11/27/2007, -0/+2Doesn't really happen that way. First she has to come up with something more than digging for exploits and security holes. In this case this is not even a major issue to begin with.
  • CyberSol, on 11/27/2007, -0/+2Mom?
  • inactive, on 11/27/2007, -0/+2It's a woman.
    Believe it.
  • radzie78, on 11/28/2007, -0/+2http://www.cs.virginia.edu/felt/photo.html
  • Tenetri, on 11/27/2007, -0/+215 is the minimum I believe, but thats all time calculations and such
  • adrifelt, on 11/27/2007, -0/+2The filtering hole that made this possible was fixed in August. What I think is interesting is the fact that a small, simple hole can be abused to do major damage (take control over user accounts / spread like a virus / etc). Although they patched the hole, the design flaw still exists. Mashup security is hard. If you want detailed information on how this type of thing works, check out: http://www.cs.virginia.edu/felt/fbook/facebook-xss ...

    Also, there's a lot of confusion about the friend requests.....clearly the VICTIM is not the one OKing the friend request. If you had looked at my profile while this worked, you'd unknowingly send me a friend request. Then I (as the hacker who controls the code) have the option of accepting/not accepting the request.
  • Bologner, on 11/27/2007, -0/+2So is capitalizing the first word in a sentence, spelling "something", capitalizing your "I"s, and separating sentence fragments with punctuation.

    ||008.
  • sint4x, on 11/27/2007, -0/+2WYSIWYG editors
  • Fetching more discussions...
    Show 51 - 100 of 121 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.