Source language: Translate to:

Massive Facebook security flaw?

Questions and information about creating Internet aware NeoBook applications. Including PHP, HTML, FTP, HTTP, Email, etc.

Moderator: Neosoft Support

Massive Facebook security flaw?

Postby fkapnist » Fri Jun 24, 2016 7:53 pm

I am using a version of this javascript to get all the iframes in a document:

Code: Select all
if ('iframes' in document) {
                var iframes = (window.document.iframes);
            }
            else {
                var iframes = (window.document.getElementsByTagName ("iframe"));
            }
var infosrc = (iframes[#91]0[#93].src);
var infotxt = (iframes[#91]0[#93].text);


Then with some more code I can view the url and content of the iframes.

But as it turns out, the Facebook Page "plugin" uses weird javascript that creates an iframe on the fly containing a link with a red security warning:

https://staticxx.facebook.com/connect/xd_arbiter.php?

I don't think it is my responsibility to try to patch up faulty Facebook scripts, but I want to continue to be able to inspect iframes in documents without having security warnings from websites that use Facebook plugins. Does anyone have a workaround suggestion?

:shock:

I tried to contact Facebook about this. They have no email address. The ThreatExchange Facebook page won't let me post a message...

.


.
User avatar
fkapnist
 
Posts: 348
Joined: Mon Nov 17, 2014 4:24 pm
Location: Greece

Re: Massive Facebook security flaw?

Postby fkapnist » Fri Jul 01, 2016 5:42 am

I am making my own "developer tools" console for my web browser project. I want to be able to display all the external CSS, Javascript, iframes and embeds of a page.

Image

But since Facebook and some other advertisers put security tokens in cross-domain iframes, I might have to entirely remove the iframe option from my tools. Too bad...

:roll:

.
User avatar
fkapnist
 
Posts: 348
Joined: Mon Nov 17, 2014 4:24 pm
Location: Greece


Return to NeoBook and the Internet

Who is online

Users browsing this forum: No registered users and 1 guest

cron