Farmville and Cityville, both popular games in social networks, were created by the company Zynga which has a yearly turnover of 850 Mio. USD. The company has, like many big companies, also a Hall of Fame where it thanks the security researchers for their help to report security threats in their onlinegames or webapplications.
The links are all created like this:
To trigger a XSS when you click on the share button, we just had to add a new parameter to the url:
We informed Zyngas security team at the 6th of april 2013.They anwsered two weeks later and told us that the XSS was not exploitable. We had to admit that this was true in this case, because an over-styled “h1”-tag rendered the share buttons unclickable. But there was a solution to this problem: Just find another website without an over-styled “h1”-tag :)
This was the final exploit and the validation of this issue was made within the next week. Additionally we were asked for some details for the hall of fame entry.
Ten days later the XSS issue was finally fixed.
Team of internetwache.org