Summary
Meta patched two critical XSS vulnerabilities in its Conversions API Gateway that enabled zero-click Facebook account takeovers across millions of sites. Attackers could inject malicious JavaScript into trusted scripts to steal session tokens and hijack user accounts without interaction.
Take Action:
If you are using a self hosted Meta Conversions API Gateway, this is important and urgent. Your server is exposed to the internet to provide analytics, so you need to patch it. And the exploit is now trivial with the full writeup available.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)