Monday, November 12, 2012

Stored XSS on Facebook Pages Manager

Facebook Pages Manager is an iOS application that makes it easier for page admins to view insights, respond to the audience, comment on the pages, etc. There was a stored XSS vulnerability in the versions before 1.4, which was released in the middle of September.

The vulnerability was in the page title appearing in the popover when you selected the like, message, or notification button from the top menu. The following steps were taken to produce the XSS on my iPhone: