New Vulnerability Javascript Injection on Facebook

Indian security researcher Mr. Manjesh found the new vulnerability on Facebook, the vulnerability at Facebook badges and was a SELF stored injection also it was limited to only 10 characters.

They didn't found any XSS java-script which is within 10 characters and this was the main problem I was having. 

When he send a request with just text : Manjesh, he was getting the output as : <div class="badge_holder bh_Manjesh">. This is it!! I was able to inject something on a DIV tag.

Below is the Proof of Screenshots:

Researcher reported this as an XSS/self stored HTML injection and they are rejected, there is no scope for HTML injection and as I didnt had any proof to show XSS is possible.

Finally he didnt found any xss stuffs within 10 chars but came up with a logical Idea. But able to execute <noscript> then I could hide all the badges created, but <noscript> didnt worked instead "><script> worked

This Vulnerability got accepted by Facebook and it was fixed very quickly.

Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter