
Good news
I tried every one of his PoCs, and even though I have facebook domains allowed in NoScript, it still spotted that they were XSS and blocked 'em.
FTW!
Facebook has fixed a cross site scripting flaw that left its users at risk from scripting attacks. Security blog xssed.com has posted a harmless proof of concept demo of a flaw on the social networking website that could leave surfers vulnerable to malware. Attacks that trick users into handing over their credentials through …
I received a 419 scam message on LinkedIn a few months ago. I notified LinkedIn of it and to their credit they replied within 24 hours saying that they would investigate and delete the user account if it was found to be fraudulent.
As for the NoScript add-on, I agree it's great but that doesn't excuse shoddy coding! Perharps El Reg could point Facebook to this page: http://www.owasp.org/index.php/Top_10_2007-A1 ?
While we are at it I'd like to point out (Facebook in particular from my experience) freely allow the look alike banners that contain the/or similar user interface as the rest of the site and word their banners as such that it appears as they are part of the intended interface function/application. But in fact lead you to an unwanted location outside of the Facebook.com domain.
This to me is 100% malicious and the sites apparent support for it is juts as malicious. No way anyone will convince me that is responsible advertising.
If someone has to trick a user to access their site then they are acting in a malicious manner. It's unacceptable and unforgivable.
- Paris because she would know better!