Wednesday, November 16, 2011

Facebook: Anatomy of Self-Inflicted Javascript Injection

Many are already familiar with "likejacking" (a form of "clickjacking") in which a user is tricked into clicking on and interacting with the Facebook "like" button -- this has been one of the most common vectors of abusing Facebook. For example, the "like" button may be hidden behind an image such as a picture of an embedded YouTube video with a play button. Zscaler released a free browser plugin for identifying and warning of hidden "like" buttons in webpages. However, a recent campaign on Facebook in which inappropriate pictures (porn, mutilation, etc.) were spread through user's social networks was conducted via a different mechanism that many are unfamiliar with: self-inflicted JavaScript (JS) injection. This post will explain the basic technique and some of what we are seeing on Facebook.

Many people are unaware that they can run JS directly from their browser's URL bar. Go ahead and try it. Here is a benign script that pops up a test alert in your browser, enter this into your URL bar: javascript:alert('test');

If you're running NoScript it prevents running JS directly from your URL bar to combat social engineering attempts to get users to unknowingly run something malicious, and will provide the following dialog message:

Otherwise, here is a screenshot from entering this in Safari:
In this example on Safari, I was initially on the www.apple.com page before I launched the JS in my URL bar - so you can see the Apple page in the background and the JS alert message appears to have come from www.apple.com. This would change depending on whatever page I was on when I launched the JS in the URL bar - additionally the JS could be modified to interact with or modify content on the current page. In other words, you could run JS that could completely modify the Apple page locally in your browser or interact with buttons or links. This is an important concept to understand and is a technique that is being used to do damage to Facebook accounts / profiles.

The "same origin policy" is a security concept used in JS and other browser-side scripting languages that prevents scripts from one website from accessing methods/properties on another website. So when you visit your friend's blog, he is unable to have JS execute and automatically interact with your Facebook account. Instead he includes a link at the bottom of his blog to interact with facebook.com and pass a parameter to Facebook saying that you "like" his post (the "like" button). For example,

www.facebook.com/plugins/like.php?href=HIS_BLOGPAGE&width=120&height=22&layout=button_count&show_faces=false&action=like&colorscheme=light

There is an exception to the "same origin policy" in which you can execute script locally within your browser to interact with a page (shown above in the apple.com example). Developers and browser plugins (e.g., greasemonkey) take advantage of this fact to alter various aspects about a webpage. Bad guys are also taking advantage of this fact, by social engineering users to copy/paste or type JS in their URL bar to perform unwanted actions. While logged into Facebook, the JS can automatically perform actions in your account such as, "liking" content or messaging your friends.

Facebook has cleaned up most of the offensive content from in the recent campaign. But doing some specific searches I was able to find some examples of this self-inflicted JS injection technique being used on Facebook.

The most common case, are Facebook groups that ask you to join and then enter in some JS into your URL bar. For example,

This JS loops through all of your Friends and suggests / invites them to the group. In other words, this JS performs a bulk invite of a group to all of your Friends. Simple, right?

Here is an example of a more complex and malicious JS I found on FB:

The strings in the JS are all hex encoded, below is the unescaped version:

This JS generates an Facebook invite message to your friends with the message containing an IFrame to: bit.ly/9CxGhY?82

Visiting this shortened link, shows that Bit.Ly is aware of the abuse and warning users from following:
The shortened link was to the now down site:
hxxp://aagmphxa.facebook.joyent.us/goog/index1.php
There are many examples of past abuse from various "facebook.joyent.us" sites, here for example.

This technique is not a new technique - Zscaler has reported past abuse examples using this Self-Inflicted JS Injection method, for example:
Be careful of all actions you take while online, to include copying and pasting content into your URL bar.

2 comments:

Anonymous said...

FYI, doesn't work in IE9 or Chrome 15.0.874.120 as they strip the javascript: part. Does work in FF 7.0.1 & 8.0

Anonymous said...

Oops, FF8 will copy but not execute.