Ecco un buon riferimento generale link
per www.infosecisland.com:
From Symantec's Candid Wueest:
"The vulnerability exists in the mobile API version of Facebook due to insufficient JavaScript filtering. It allows any website to include, for example, a maliciously prepared iframe element that contains JavaScript or use the http-equiv attribute’s “refresh” value to redirect the browser to the prepared URL containing the JavaScript."
"Any user who is logged into Facebook and visits a site that contains such an element will automatically post an arbitrary message to his or her wall. There is no other user interaction required, and there are no tricks involved, like clickjacking."
"Just visiting an infected website is enough to post a message that the attacker has chosen. Therefore it should be of no surprise that some of those messages are spreading very fast through Facebook. Some are posting links to infected websites, creating XSS worms that spread from user to user."
Facebook has patched the JavaScript-based XSS vulnerability, and the company says they are now working to undo the damage done by the attack.
Quindi il problema è legato alla neutralizzazione dell'input dei dati nelle pagine web.
Leggi altre domande sui tag web-application appsec xss known-vulnerabilities