The vulnerability was discovered by UK-based security consultant Jack Whitton who immediately informed Facebook.
Facebook engineers quickly took cognizance of the critical flaw and patched it within six hours.
Using atechniquedescribed in 2012, the expert managed to encode an XSS payload into a PNG images IDAT chunk.
Whitton found that several Facebook plugins are designed to be placed in an iframe, which bypasses such protections.
This could be by posting a status with the link, or sending an email.
Facebook however confirmed toSecurityWeekthat it fixed the content throw in bug as well.
source: www.techworm.net
