Below are the details of Bug provide by the Researcher to The Hackers Post.
[#] - Vulnerability Title:
[#] - Vendor homepage:
[#] - Remote/Local:
[#] - Tested on:
Windows 7 64 bit Firefox browser (but should have worked on other OS and browsers (not sure about IE))
[#] - Vulnerability Submitted:
[#] - Vulnerability Status:
[#] - Vulnerable Parameter:
Facebook mobile provides a survey to evaluate the mobile user experience as they surf facebook mobile site. Here is the survery link: https://m.facebook.com/survey.php .
While entering the mobile phone brands , it provides a list of brands in case you didn’t type the correct brand.
The list that was provided contained their HTML code inside the parameter
https://m.facebook.com/survey.php?incorrect_brand¶ms=[HTML code of Brands and Radio Buttons]
Remote User can add any brand Name and Radio buttons, hence allowing Remote HTML injection. It was as simple as it sounds. This could also result in adding junk entries into to database hence causing spam, because remote user can add entries and submit.
Below is the screenshot of a portion of exact POC Researcher submitted to Facebook:
Below my the first reply from Facebook and they acknowledged the issue
below is their reply after 2 months when they fixed the issue
There is increase rise in black hats changing their dimensions towards bug reporting rather than exploiting them. Yesterday, we reported the youngest security researcher found XSS flaw on Amazon Site.
About Security Researcher Haider:
Haider Mehmood Qureshi is a BS Computer Sciences Student from Comsats Intitute of information technology Islamabad, He do freelancing as Penetration Tester, Started learning pentesting/hacking in 2009. Initially, he was into defacing websites just for fun, later realized to make Pentesting/Security auditing as my career. You can contact security researcher here.