Facebook patched the issue in about six hours
http://i1-news.softpedia-static.com/images/fitted/340x180/facebook-patches-critical-xss-bug-that-lead-to-total-account-compromise.png
Jan 28, 2016 17:03 GMT · By Catalin Cimpanu British security researcher Jack Whitton has identified a critical XSS (cross-site scripting) vulnerability on Facebook that could be leveraged via malicious.png images and grant an attacker access to someone's account.
Mr. Whitton discovered that he could use steganography to craft a malicious.png image which would hold the source code of an HTML file.
During the upload process, he managed to trick Facebook servers into accepting the initial upload as a.png file, but later save this.png (on their image storage CDN servers) as an HTML document.
But this HTML file, saved among images, on Facebook CDN server wasn't really that useful to begin with since there was no data for an attacker to steal and exploit. So he had to find a way to load this HTML file on Facebook's main website.
Full Article
