Cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities have been with us for some time and while many social networks have tightened their defenses against XSS attacks–as have many other conventional websites–there are some social networking worms have used XSS flaws to spread. Some security experts say that CSRF attacks are not common on the social networks, but best be on the lookout for them unless the site admins are proactive.
The openness of Web 2.0 sites in general makes these complicated attacks virtually unnecessary, but it is possible using CSRF to utilize a hacked MySpace account to jump across to Facebook and wreak havoc. One security specialist noted that as long as users are allowed to use code in one form or another in profiles and comments–especially with links to external content–there are going to be security problems.
That seems to be the real issue here. XSS and CSRF, while possible, probably aren’t even necessary for hackers to compromise accounts; they’re already open enough to be vulnerable.