Title: Facebook Inbox Message Disclosure Vulnerability Published: June 24th 2010 Credit: Ryan MacDonald Severity: Information/Privacy Disclosure Vulnerable: Facebook Messaging System BigPipe Performance Pipelining Summary: A vulnerability exists in facebooks messaging system that allows an attacker to view the addressed users, subject and inbox preview text (120 characters) of message contents for recently sent/received messages (last 6) on a users account. Technical Details: BigPipe Pipeling java script code embedded into the source code of ALL PAGES under the “messages” section on facebook, preloads message data that can be arbitrarily read through malicious client side java script or other client side objects. The offending java script specifically is the More >