I discovered a persistent XSS vulnerability in Facebook today. I attempted to notify Facebook but couldn't find any e-mail to contact them at about this. Update: Facebook's informed me that their disclosure page is located here. In the interest of responsible disclosure I've removed some of the technical details until Facebook has a chance to address this. Let's just say you may want to avoid viewing "friend's" notes using the Facebook iPhone app for now.
Thursday April 29, 10 am
Also, there is another, less important bug in Facebook I've noticed. Click on the "info" tab (or any other tab, like the wall) twice in a row as quickly as possible. The information will display on the page twice.