A new web site, socialnetworksecurity.org, has been set up to publish details of security vulnerabilities in social networks such as Facebook, Lokalisten, Friendscout24.de, wer-kennt-wen.de and XING. Most of the vulnerabilities listed could be exploited for cross-site scripting (XSS) attacks. Jappy.de, for example, contains one such vulnerability which allows contacts' cookies to be stolen.
The team behind socialnetworksecurity.org also found several vulnerabilities on XING. On Facebook, phishing attacks can be carried out by using a forwarding script which, using a Facebook link, generates an HTTP login query with readily viewable content. Some web site operators have still to respond to vulnerability disclosures. Our colleagues at heise Security were still able to reproduce the XSS vulnerability on Kwik on Monday afternoon.
The link for this article located at H Security is no longer available.
