Facebook's warning of self-xss

The warning is talking about "access to your Facebook account", not complete control.

Self-XSS works like any XSS. While you cannot read the httpOnly session cookie, you can:

  • read any data available to the attacked user (messages, secret groups, profile infos, etc)
  • send arbitrary requests in the name of the attacked user (send messages, create posts, etc)
  • display arbitrary data to the attacked user (fake messages or posts, phishing attackers, etc)

Tags:

Javascript

Cookies

Xss

Injection

Self Xss

Related

Is it unsafe to show message that username/account does not exist at login? Is checking the Referer and Origin headers enough to prevent CSRF, provided that requests with neither are rejected? Why can't Let's Encrypt support wildcard certificates? Risks of explicitly trusting SSL certificate vs relying on certificate chain for validation? Forgot your password: "New password must have a minimum of 4 characters different from the previous password" Why should I offer HTTP in addition to HTTPS? How to determine and control extent of data passing through VPN connection? Why JMP ESP instead of directly jumping into the stack Store encrypted user data in database Does a compromised kernel give complete control over a device? What's the difference between end-to-end and regular TLS encryption? Should I reject a CSR when the host emailed me the private key for SSL certificate request?

Recent Posts