The vulnerability was in the page title appearing in the popover when you selected the like, message, or notification button from the top menu. The following steps were taken to produce the XSS on my iPhone:
- I created a new Facebook Page on my web browser and set its title to "<img src=x onerror=alert(/XSSed/)>".
- I opened the page in the Facebook Pages Manager application on my iPhone.
- I selected the like button from the top menu.
- An alert showing "/XSSed/" was displayed in the application--the script was activated.
I created a test user account and invited it to take on an admin role for the page. The test user account represented an unsuspecting victim. By clicking on just one button to accept the role, the test user gained permission to access the malicious page. I was able to confirm that the script was activated on that account as well.
This vulnerability was reported on August 11 and the fixed version was released on September 18 as part of Facebook's Security Bug Bounty Program.