Neither Mozilla nor WebKit folks have felt that this issue merits secrecy, so now that information about it is in the wild, I'll go ahead and post about a fun new social engineering hack that will probably be making its rounds in the not-so-distant future. The vulnerability is with regards to how easy it is to create a XSS + worm + phishing attack without necessarily triggering a non-technical user's security alarm.
Step by step instructions on how to recreate this follow, though I have left out sample code (an exercise for the less scrupulous readers).
- Create a Facebook group, 'Get $25 from $BANK'. (This works on any social networking site.)
- Create the worm code to automatically propagate requests to new victims. This code should automatically invite all of the target's friends to join said group. This has a huge advantage by occurring in a TRUSTED ENVIRONMENT: "Your friend Joe Smith has invited you to join the group, 'Get $25 from $BANK'." This is an example of worm code in the wild. UPDATE: Facebook appears to have pulled down the group I was linking to. I've got a screen capture, but I'm not sure I want to re-post the worm code.
- Add a script loader into the worm code. Any will do.
- Steal usernames and passwords from thousands of people.
Why this is more effective.
Bonus points to anybody who implements it like a pyramid scheme. The first 2500 stolen accounts get paid from taking the next 2500 accounts to the cleaners so that you get positive feedback from folks who are actually getting money. You can then come back the next day and clean out their accounts.
Toward a solution.