

Self-XSS attack explained - mkjones
https://www.facebook.com/photo.php?v=956977232793

======
Rygu
I believe the real problem lies in the fact that Flash can actually put things
in your clipboard. There should be a security configuration in Flash that
makes this clipboard "feature" disabled by default, or at least it should
alert the user when the new clipboard content contains malicious code.

Another thing that _Facebook_ can do, is detect Wall-spamming and require the
user to confirm that (s)he really wants to spam all his/her friends.

~~~
eurleif
>Another thing that Facebook can do, is detect Wall-spamming and require the
user to confirm that (s)he really wants to spam all his/her friends.

The XSS code could just be modified to automatically confirm its actions.

~~~
lancefisher
Not if it required a captcha.

~~~
callahad
But at that point, you're already working with a user that's fallen victim to
social engineering. The script could likely find a way to present the captchas
that would similarly fool the user into completing them.

~~~
mkjones
They could just tell the user that the captcha is part of the "security check"
the user must do to see if they're in the 2% or whatever. Users will do almost
anything if you instruct them well enough.

------
rsoto
The real question here is why is facebook embedding an untrusted widget. They
should whitelist youtube, vimeo and all the major content providers and this
issue is effectively gone.

I'm real curious about the url facebook is embedding. If it's an iframe, how
does facebook tells that it should be embedded?

~~~
lbrandy
> The real question here is why is facebook embedding an untrusted widget.

1\. That's not really the question, at all. The attack works fine w/o flash.
Flash just helps reduce friction. I'm pretty certain we've seen versions of
the attack that don't use flash.

2\. Given #1, it doesn't solve the problem, and it creates a new one. See the
other response you received.

~~~
rsoto
I'm not sure it might work without flash, there's no way to copy and paste, at
least aside from IE[1]. What I'm arguing is the fact that the widget is
embedded. Without it, at least one crucial step will be added (switch back to
the previous tab), making the scam way less effective.

1: [http://stackoverflow.com/questions/400212/how-to-copy-to-
cli...](http://stackoverflow.com/questions/400212/how-to-copy-to-clipboard-in-
javascript) (yeah, it's kinda old, but just check google docs--even in chrome,
there's no way to copy something with the menu)

~~~
mkjones
We've seen the same attack on a 3rd party site that pops up a facebook window
that's minimized such that all you can see is the address bar, and has you
paste into there. Perhaps a lower conversion rate, but still effective.

------
nathanhammond
This type of attack has been possible for years, but wasn't really
_replicating_ until the advent of social networking. Here is the bug I filed
with Mozilla the first time I saw this type of attack in the wild:
<https://bugzilla.mozilla.org/show_bug.cgi?id=527530>

There is a lot of interesting discussion in the thread, and Brendan Eich shows
up to throw up his two cents in as well.

Also, here is my blog post discussing an attack scenario:
[http://www.nathanhammond.com/social-engineering-issue-
with-j...](http://www.nathanhammond.com/social-engineering-issue-with-
javascript-urls)

------
bialecki
Quick question, is there any difference between running code in the browser
bar vs. running it in the Chrome console? If there isn't, Chrome should just
disable this behavior. I don't think I've ever run code in the browser bar vs.
the console because I usually have the console open or it's very easy to get
to.

I bet most users would smell something fishy if they had to use something like
the console to see a video. "Going to a website," even if it's a JS snippet,
not a website, is something people are used to. Looking at developer tools,
even if it's asking an end user to just see if there was an error, still feels
very strange to them.

~~~
mkjones
I'm not 100% sure, but I think the chrome console is essentially the same, but
you needn't prepend with javascript: and it has like autocompletion and
history and a bunch of other things. Not sure why anyone would legitimately
use the address bar for js.

~~~
jrockway
_Not sure why anyone would legitimately use the address bar for js._

Bookmarklets, like <http://kathack.com/>.

~~~
re
Browsers can support bookmarklets without allowing javascript to be entered
directly in the address bar.

~~~
scotth
Then the attack shifts. The "security check" becomes, drag this link to your
bookmark bar and click it.

~~~
simonbrown
A solution to that for browser vendors: Don't let the user drag javascript
links from iframes into the bookmark bar.

~~~
jrockway
Why let users do anything in their browser? What if someone tricks them into
jumping out their window?

