Facebook XSS Hacks

Everyone remembers back when you had AOL Instant Messenger, a major threat was getting a virus. Once a friend got one, it would send itself as a chat message to all of their friends, propagating across the network.

Now, there seems to be a similar menace facing Facebook, especially it’s chat feature. I recently received a message from a friend on Facebook with the text: “Sam See who views your profile @ x.co/WkdW?95031”. Upon visiting my newsfeed, I noticed a new event invitation to “How to see who viewed your profile!!” by the same person. Interested to see how this was spreading, I visited the link provided (in a secure browser of course). Looking at the site, apparently you are supposed to paste in a JavaScript file into your address bar, which executes and tells you who views your profile. While this is of course impossible, it was interesting to see what exactly was going on. Opening the JavaScript file, I discovered a bunch of code I can’t claim to understand.  However, some was kind of simple, and I shall attempt to explain it.

var randomnumber=Math.floor(Math.random()*99999);
var chatmessage = '%firstname% See who views your profile @ x.co/WkdW?'+randomnumber;
var postmessage = 'My Top Profile Viewers: \n\ %tf% - 1136 views \n\ %tf% - 983 views \n\ %tf% - 542 views \n\ %tf% - 300 views \n\ See who views your profile @ http://x.co/WkdW?'+randomnumber;
var redirect = 'http://aafv8vni.info/final.php';
var eventdesc = 'Hey everyone, \n\ fb now lets you see who viewed your profile! to enable this feature, go here! - http://x.co/WkdW?'+randomnumber;
var eventname = 'How to see who viewed your profile!!';

This first part was very simple.  Apparently it just creates a random link, and spreads it three ways: chat messages, wall posts, and events.  The event creation is something I haven’t seen before and was kind of interesting.  Also, for those interested, the values provided are hard-coded into the script, which means they are completely fake.  This was assumed, but it’s nice to know for sure.  I’m not sure what the random number is for, maybe the author is doing some cool social network analysis on people who click on links like this.  The redirect goes to a pages that links to several surveys that allow them to “verify your identity.”  This is probably just more ways to spam you and make money.

The rest of the code is very obfuscated due to variable and function naming.  Some parts to note are that the author left debug functions intact and uses unique URL identifiers for each instance.  I’m not sure if this is for tracking purposes, but it could open some cool doors for network mapping of gullible people.  The funny thing is that it doesn’t actually harm your computer (that I know of), and only tries to spread itself.  This could just be the beginning of something bigger, but for right now the worst part is the embarrassment and cleanup of your Facebook profile.  The code itself is not very intriguing, since XSS is a commonly known information security vulnerability affecting many sites on the internet.  However, since the script relies on a victim actually pasting code into the URL bar once they are on Facebook, this scam is easy to avoid.

Full Code

Leave a Reply