Comments on: New Utility Allows You to Control Facebook Accounts Without the Password http://doteduguru.com/id3831-new-utility-allows-you-to-control-facebook-accounts-without-the-password.html Internet Marketing and Web Development in Higher Education and other tidbits... Thu, 18 Mar 2010 18:49:07 -0400 http://wordpress.org/?v=2.9.2 hourly 1 By: Sample Resumes http://doteduguru.com/id3831-new-utility-allows-you-to-control-facebook-accounts-without-the-password.html/comment-page-1#comment-8936 Sample Resumes Fri, 30 Oct 2009 19:32:17 +0000 http://doteduguru.com/?p=3831#comment-8936 Oh wow! its amazing. I hope that it 'll be a very good function to the users. I don't know about it. Thanks a lot for sharing such a nice post. Oh wow! its amazing. I hope that it ‘ll be a very good function to the users. I don’t know about it. Thanks a lot for sharing such a nice post.

]]> By: Web Solutions http://doteduguru.com/id3831-new-utility-allows-you-to-control-facebook-accounts-without-the-password.html/comment-page-1#comment-8891 Web Solutions Mon, 26 Oct 2009 07:00:52 +0000 http://doteduguru.com/?p=3831#comment-8891 It will be really good if works well according to the user needs It will be really good if works well according to the user needs

]]> By: theharmonyguy http://doteduguru.com/id3831-new-utility-allows-you-to-control-facebook-accounts-without-the-password.html/comment-page-1#comment-8804 theharmonyguy Wed, 21 Oct 2009 21:45:59 +0000 http://doteduguru.com/?p=3831#comment-8804 Correction to my correction: As Paul pointed out to me via Twitter, an attacker could theoretically change document.domain. But Facebook filters any JavaScript in an application running via apps.facebook.com, so they wouldn't allow such code via an app XSS hole, and the attack would still fail. Correction to my correction: As Paul pointed out to me via Twitter, an attacker could theoretically change document.domain. But Facebook filters any JavaScript in an application running via apps.facebook.com, so they wouldn’t allow such code via an app XSS hole, and the attack would still fail.

]]> By: theharmonyguy http://doteduguru.com/id3831-new-utility-allows-you-to-control-facebook-accounts-without-the-password.html/comment-page-1#comment-8802 theharmonyguy Wed, 21 Oct 2009 21:35:17 +0000 http://doteduguru.com/?p=3831#comment-8802 Paul corrected me that you could actually change document.domain if you could run pure JavaScript on an apps.facebook.com. But code on that domain is filtered by Facebook, so inserting script that tries to change document.domain would not be rendered. So, exploiting an application would still not work, but for a different reason. Thanks for the clarification, Paul. Paul corrected me that you could actually change document.domain if you could run pure JavaScript on an apps.facebook.com. But code on that domain is filtered by Facebook, so inserting script that tries to change document.domain would not be rendered.

So, exploiting an application would still not work, but for a different reason. Thanks for the clarification, Paul.

]]> By: theharmonyguy http://doteduguru.com/id3831-new-utility-allows-you-to-control-facebook-accounts-without-the-password.html/comment-page-1#comment-8801 theharmonyguy Wed, 21 Oct 2009 20:58:14 +0000 http://doteduguru.com/?p=3831#comment-8801 Thanks for the link! Slight correction, though: Since Facebook runs all applications on the apps.facebook.com domain, an XSS hole in an application would not allow you to grab the cookies for facebook.com or www.facebook.com - at least not in any modern browser I know of. Of course, you can send links to other users with an application XSS hole by using the Facebook API. Thanks for the link!

Slight correction, though: Since Facebook runs all applications on the apps.facebook.com domain, an XSS hole in an application would not allow you to grab the cookies for facebook.com or http://www.facebook.com – at least not in any modern browser I know of.

Of course, you can send links to other users with an application XSS hole by using the Facebook API.

]]>