Saturday, March 13, 2010

More Bugs on apps.facebook.com

Let's see some new vulnerabilities on apps.facebook.com Still SQL and HTML Injection

apps.facebook.com/ufundraise sql injection


apps.facebook.com/app-tap HTML Injection - See POC


apps.facebook.com/pronosticstn sql injection


apps.facebook.com/travelbuddies HTML Injection and redirect - See POC

apps.facebook.com/checkmycampus HTML Injection - See POC

I'm tired to search for other,but I'm sure that many more are vulnerable.Anyway,
check also my old post, Multiple bugs on apps.facebook.com

4 comments:

mahertriki said...

Note that this is not facebook you "hacks" but the "apps" developed by individuals (which are hosted by individuals) and therefore you are not connected to the facebook servers. So your SQL vulnerabilities can affect applications in facebook but not himself (The difference is huge anyway).

d3v1l said...

I know ,lol

Akr@m G said...

i'm the developer of the Tunisian football game (http://apps.facebook.com/pronosticstn/ )
so thanks for the hack ^^
i will try to fix my nooby bugs like using GET parameters directly in sql requests :p

Anonymous said...

Somehow i lost 18 m on poker trough this vulnerability.
I just clicked on this link and my chips gone in 10 minutes
http://apps.facebook.com/friendsmagazine/
need to be loged to facebook to see this link