Facebook has been sitting on a nasty website flaw that for four months has made its users susceptible to malware and forgery attacks. The cross-site scripting (XSS) error can be plainly demonstrated here and here. It allows a miscreant to trick a user into believing he is visiting Facebook when the vast majority of the content …
Just don't use Facebook/Myspace et al.
I don't have any use for such on-line tat.
NoScript won't help you.
Is it just me...
or do the examples not work?
"an ugly worm dubbed Koobface"
Am I the only one who read this as Knobface?
/yes yes I'm gone
But James, XSS is *remote* script!
And *everybody* should use NoScript -- XSS attacks are very common, and malicious js is not just limited to obscure corners of the web. Even big sites get compromised sometimes.
"....quick-moving attack targeting Google Orkut....."
Ok, exactly how long did it take to affect *both* users?
NoScript Does Work
And frankly anyone not using NoScript, AdBlock Plus and Adblock Filterset.G Updater is a bit stupid. And anyone not capable of or getting annoyed over operating NoScript shouldn't be let anywhere near a computer.
Three hours after publishing? Whether or not Facebook is of any value, well done El Reg!
Named and shamed...
NoScript: The cure is worse than the disease.
If pretty much breaking the entire Internet is your idea of a fix then I'd rather be broken. Here's a similar fix: Turn off your computer.
I went back to using Flashblock instead.
@ James O'Brien
No mate, you're not. So, this coat rack is starting to look bare...
the Facebook engineers were busy sitting reading The Register rather than checking their mailboxes - who would argue based on clear evidence?!?
Paris, because she keeps her eyes on the right kinda ball!
Examples work for me...
NoScript's Anti-XSS protection, James
Please RTFM, before posting misinformed comments: http://noscript.net/features#xss
'Within three hours of posting this story...'
more like REDfacebook amirite
Care to bet your life on that?
NoScript is more of a pain than a saviour, not least because of the false sense of security that its users have.
Examples don't work here...
... and it's without NoScript.
Perhap you should RTFA and note they were closed within 3 hours of this article being posted?
Hey AC, Adblock Filterset.G does not work with AdBlock Plus and, in fact, the AdBlock Plus folks tell you not to install it if you have AdBlock Plus (http://adblockplus.org/en/faq_project#filterset.g).
I wonder if Firekeeper would catch it... it picks up some other attacks.
I told ja, I told ja!
No gosh-dern good would come 'a these whipper-snappers and their gosh derned Web 2.0!
- Infosec geniuses hack a Canon PRINTER and install DOOM
- 'Windows 9' LEAK: Microsoft's playing catchup with Linux
- Boffins say they've got Lithium batteries the wrong way around
- Game Theory Half a BILLION in the making: Bungie's Destiny reviewed
- Phones 4u slips into administration after EE cuts ties with Brit mobe retailer