Update
Ok good news guys... they have removed the page finally! but i reported them like 3 times and there was no "this page is hacking" button... i think its stupid this grew to over a few hundred thousand duped before Facebook found and removed it... i even tweeted to them about this article after i made some javascript to pull the pages likes and update the count dynamically@facebook http://j.mp/95PvuT theres a page serving #XSS! read my analysis of #exploit code here #facebook #socialengineering
Carter Cole
CarterCole
Facebook needs to have a better way to deal with these kinds of attacks... or at least a way to report them more easily...
Original Post
A friend who i never talk to just sent me to this page on facebook... its the "The Most CRAZIEST & EPIC Facebook Break Up Ever! Absolute MUST SEE!" i usally never trust these things but they had some custom FBML so i wanted to see what was up... after you like the page you get access to the exploit code ive copied below... It gives instructions to paste the code below into address bar. Now i totally thought it was suspect but ive seen things like this do cool easter eggs before so i tried it... then i get a notification "Your invitations have been sent." doh! ive been duped... but i dont feel so bad because they have150,490 likes
so im just one of many. now lets see whats going on...You must view original post to see code...
Now let me just run some carter magic on this and lets see what its doing... first it creates a link on the page, then simulates a mouse event to that link... there are then 3 function set on timers to hide the dialog, select all contacts, submit the form and then replace the container with a iframe serving spam...
i gotta admit pretty well done... get the users to run the exploit for you and because facebook makes it so hard to report hackers i bet i have infected many of my friends and have no way of stopping or recovering the notifications. I looked everywhere and i cant find any way to see a log of what ive sent and how i can recover those messages
Lame Facebook Lame!
2 remarks:
Ironically, I'm surprised this is the first time you got hit by this, I got hit several months ago by an identical one, except it said something else.
What do these exploits do?
@Jey This one sems like it was pretty harmless compared to what it could have done... i only saw some ads in the iframe and sending itself to everyone (thats what the "select all" command is for) but it was poorly coded and whiten which made me believe that it was probably not created in the US. its quite clever though... XSS is super nasty and they got around it by just having the user run it for them... I love social engineering the psychology behind it is so interesting and it can be manipulated very well when they have access to things like our social graphs. and because the invitations have no screen to recall them i couldn't stop the spread to my friends once i knew what was going on
Post a Comment
Link to this post if you found it usefull