The flaw has been fixed, so I’m providing the details:
Let’s say I wrote a note on Facebook and included some script in it as a demonstration of coding techniques. One would expect the text to display on the page rather than execute, and when viewed using a normal browser that is what happens. Here is the problem: when viewing a Facebook note using the Facebook iPhone app, script in the note isn’t properly sanitized, and is executed. This is a classic XSS vulnerability which would allow an attacker to steal your login credentials or spam your friends just by getting you to view his/her note using your iPhone. The amazing thing about this flaw is that it so straightforward. Any HTML/JavaScript in a Facebook note executes when viewed using the Facebook iPhone app. It really didn’t take any reverse engineering to discover. I’m amazed that such a flaw made it into production.
Here is what the Facebook note looked like when viewing it on a computer:
The next image shows that the note is properly sanitized.
Here is what it looks like on my iPhone during the alert and after the Wikipedia iFrame loads:
As you can see, first the alert pops up, and then the embedded site loads. Both of these events are due to the code I had placed in the note.
I’m left wondering why this only worked from within the iPhone app. I would imagine the note would be sanitized before being stored in the database, rather than sanitized as it is loaded/displayed. Since the fix didn’t include an update of the Facebook for iPhone app, they must have implemented a server-side fix.