search
Carter Cole LinkedInCarters Twitter PageCarter Cole on Facebook Carter Coles RSS

Tuesday, June 22, 2010

Social Engineering + Encoded Javascript = Facebook XSS The Attack Explained

Update

Ok good news guys... they have removed the page finally! but i reported them like 3 times and there was no "this page is hacking" button... i think its stupid this grew to over a few hundred thousand duped before Facebook found and removed it... i even tweeted to them about this article after i made some javascript to pull the pages likes and update the count dynamically

@facebook http://j.mp/95PvuT theres a page serving #XSS! read my analysis of #exploit code here #facebook #socialengineeringless than a minute ago via bitly



Facebook needs to have a better way to deal with these kinds of attacks... or at least a way to report them more easily...

Original Post

A friend who i never talk to just sent me to this page on facebook... its the "The Most CRAZIEST & EPIC Facebook Break Up Ever! Absolute MUST SEE!" i usally never trust these things but they had some custom FBML so i wanted to see what was up... after you like the page you get access to the exploit code ive copied below... It gives instructions to paste the code below into address bar. Now i totally thought it was suspect but ive seen things like this do cool easter eggs before so i tried it... then i get a notification "Your invitations have been sent." doh! ive been duped... but i dont feel so bad because they have

150,490 likes

 so im just one of many. now lets see whats going on...

You must view original post to see code...


Now let me just run some carter magic on this and lets see what its doing... first it creates a link on the page, then simulates a mouse event to that link... there are then 3 function set on timers to hide the dialog, select all contacts, submit the form and then replace the container with a iframe serving spam...

i gotta admit pretty well done... get the users to run the exploit for you and because facebook makes it so hard to report hackers i bet i have infected many of my friends and have no way of stopping or recovering the notifications. I looked everywhere and i cant find any way to see a log of what ive sent and how i can recover those messages

Lame Facebook Lame!

2 remarks:

Post a Comment

Link to this post if you found it usefull

Social Engineering + Encoded Javascript = Facebook XSS The Attack Explained