back to article Facebook ignores huge security hole for four months

Facebook has been sitting on a nasty website flaw that for four months has made its users susceptible to malware and forgery attacks. The cross-site scripting (XSS) error can be plainly demonstrated here and here. It allows a miscreant to trick a user into believing he is visiting Facebook when the vast majority of the content …


This topic is closed for new posts.
  1. Moss Icely Spaceport

    Easier answer

    Just don't use Facebook/Myspace et al.

    I don't have any use for such on-line tat.

  2. James Roper

    NoScript won't help you.

    The NoScript plugin can't help you with any Facebook security vulnerabilities... To use Facebook, you need Javascript, so you need Facebook whitelisted in the NoScript configuration. Because it's whitelisted, you are now vulnerable to any XSS attacks, because XSS vulnerabilities usually mean injecting Javascript into files that are sourced from Facebook. So, either you use Facebook, and are vulnerable whether you have NoScript installed or not, or you don't use Facebook, in which case you don't need NoScript to protect you.

  3. Anonymous Coward
    Anonymous Coward

    Is it just me...

    or do the examples not work?

  4. James O'Brien

    "an ugly worm dubbed Koobface"

    Am I the only one who read this as Knobface?

    /yes yes I'm gone

  5. Ropata

    But James, XSS is *remote* script!

    NoScript is able to distinguish XSS from JavaScript running locally. Its XSS filter even remains active when you allow js globally. For example embedded Youtude vids are blocked until you explicitly allow them.

    And *everybody* should use NoScript -- XSS attacks are very common, and malicious js is not just limited to obscure corners of the web. Even big sites get compromised sometimes.

  6. TeeCee Gold badge

    How fast?

    "....quick-moving attack targeting Google Orkut....."

    Ok, exactly how long did it take to affect *both* users?

  7. Anonymous Coward
    Paris Hilton

    NoScript Does Work

    And frankly anyone not using NoScript, AdBlock Plus and Adblock Filterset.G Updater is a bit stupid. And anyone not capable of or getting annoyed over operating NoScript shouldn't be let anywhere near a computer.

  8. Matthew Joyce
    Thumb Up

    Top marks

    Three hours after publishing? Whether or not Facebook is of any value, well done El Reg!

    Named and shamed...

  9. Leo Davidson
    Thumb Down

    NoScript: The cure is worse than the disease.

    I tried using NoScript. I love the idea of it in principal. Unfortunately half an hour of using it will made me realise how much of the web depends on Javascript. The majority of sites I visited were completely broken and I have to keep whitelisting things to the point that it seemed utterly pointless.

    If pretty much breaking the entire Internet is your idea of a fix then I'd rather be broken. Here's a similar fix: Turn off your computer.

    I went back to using Flashblock instead.

    I'd love it if Javascript wasn't used so (IMO) gratuitously. (It's used wonderfully on many sites but on others, where you're being served a static page, it makes me wonder WTF the site authors were thinking.) If I only had to whitelist a few sites, like I do with Flashblock, then NoScript would be great. Having to whitelist a huge number of sites is a giant hassle and makes me question what I'm protecting myself from when so many things are granted an exception.

  10. Jim Carter

    @ James O'Brien

    No mate, you're not. So, this coat rack is starting to look bare...

  11. Farai
    Paris Hilton

    I reckon...

    the Facebook engineers were busy sitting reading The Register rather than checking their mailboxes - who would argue based on clear evidence?!?

    Paris, because she keeps her eyes on the right kinda ball!

  12. Anonymous Coward
    Thumb Down


    Examples work for me...

  13. Giorgio Maone

    NoScript's Anti-XSS protection, James

    @James Roper:

    Please RTFM, before posting misinformed comments:

  14. Aaron

    'Within three hours of posting this story...'

    more like REDfacebook amirite

  15. Dave
    Thumb Down


    Care to bet your life on that?

    NoScript is more of a pain than a saviour, not least because of the false sense of security that its users have.

  16. Pierre

    Examples don't work here...

    ... and it's without NoScript.

  17. Moddy


    Perhap you should RTFA and note they were closed within 3 hours of this article being posted?

    Top article.

  18. Jason DePriest

    bad advice

    Hey AC, Adblock Filterset.G does not work with AdBlock Plus and, in fact, the AdBlock Plus folks tell you not to install it if you have AdBlock Plus (

    I wonder if Firekeeper would catch it... it picks up some other attacks.

  19. Pete "oranges" B.

    I told ja, I told ja!

    No gosh-dern good would come 'a these whipper-snappers and their gosh derned Web 2.0!

This topic is closed for new posts.

Other stories you might like