Thursday, September 9, 2010

Reverse engineering the latest Facebook worm

Earlier today I noticed several of my friends had been hit by a Facebook worm that updated their status, created an event, and finally invited all of their friends to the event. The purpose of the worm was to widely distribute several "work from home" and similar scams. All of this happened instantly when they clicked on a link that they had seen posted by another user that had fallen for the trap. Knowing that Facebook would fix the issue soon, I immediately opened up my HTTP debugging tools and set about discovering how it worked.

Step 1: The user clicks a shortened url posted by a friend that has been hit by the worm. Each victim's status is updated with a new shortened url, and multiple URL shorteners are used.

Step 2: The user is redirected to one of many domains. In my case it was

Step 3: The exploit site loads an iframe to one of many facebook applications that have been set up by the attacker. The facebook application to use is chosen randomly from a large list to make the exploit more difficult to stop.

The Facebook application is built using FBML and FBJS, a special markup language and JavaScript variant designed to allow Facebook application developers to write applications that run inside of Facebook's context. This is done by disallowing harmful tags, prefixing all ID attributes with the application id, and only allowing developers to use a small set of custom JavaScript getter and setter functions to interact with the part of the DOM that belongs to the application.

In addition to disallowing certain tags, FBML provides the developer with the ability to use special tags such as the Like button. These tags are turned into HTML prior to being served to the user's browser, and a sandboxing method is employed to prevent FBJS from accessing them (To click the like button without the user's permission, for example). The sandboxing method essentially consists of applying an attribute to the HTML that tells the FBJS getter methods provided to developers that they should not be allowed to fetch the element via getElementById or any other methods.

Step 4: The malicious Facebook application makes a Ajax request through Facebook's servers to load additional FBML.

Due to an error on Facebook's part, the developer is able to get around the normal FBJS sandboxing methods for the like button using code essentially like the following:

You likely see the problem here. The <fb:like> FBML tag will generate HTML that will contain the HTML attributes that instruct FBJS to disallow access to it, but that won't matter because the HTML simply gets rendered as text inside the textarea.

Step 5: The malicious application uses FBJS to parse the HTML generated from the like button and steal the CSRF protection tokens from it (You can read more about CSRF here).

Here's the code (Cleaned up slightly from the modifications Facebook's FBJS parser makes to try to sandbox it):

You can see that the FBJS code steals two CSRF protection keys. One is fb_dtsg, and the other is post_form_id. These keys are then used to set the source of an iframe to a URL such that the attacker now has access to those keys.

Step 6: The attacker's iframe makes a request to
Which uses CSRF to make the user Like (fan) a page:

Step 7: The attacker's iframe makes a request to which updates the user's status using the following code:

Step 8: The attacker's iframe makes a request to which authorizes the Facebook application using the following code:

If you look carefully, you'll notice that the application will now be granted permission to publish to stream, create an event, and RSVP for events.

After step 8, Facebook reads the next parameter from the form and redirects the user to step 10 at

Step 9: The application creates an event on the user's behalf and invites all of their friends (server side)

Step 10: This user is redirected to a page with another CSRF form to spam all of their friends with messages.


Facebook patched the security flaw used by this worm shortly after it was discovered. FBML tags inside of textareas are now no longer converted to HTML.

This was a particularly interesting worm due to the use of an FBML flaw as an attack vector. Approximately a year ago I reported a similar issue due to improper sand-boxing of FBJS Dialog boxes. As with many technologies as complex as FBML, they can provide an excellent method of attack for hackers that are willing to learn their way around them.

Perhaps wisely, Facebook has chosen to move away from FBML canvas applications. Until then, hopefully we won't see too many more of these vulnerabilities discovered by the bad guys.

Like this post? Please vote it up on YC News.


Xero said...

Don't you think FaceBook would want to fix this flaw to prevent the attack? Nevertheless, you got to give the hackers credit. They make the pages look real. Then they got you.

Rich said...

Very insightful and a good read. Thanks for explaining this in clear terms. It's good to know the flaw is now patched.

Manoj Vivek said...

wat is the http debugging tool..

Canberk Bolat said...

@Manoj Vivek HTTP Debugging Tool referring to HTTP Proxy. Like Fiddler, Burp etc..

George Deglin said...

Yes, my favorite is Fiddler2. I generally keep Firebug's network panel open as well.

Unknown said...

Download New Facebook Account Hacker 2015 Free Working Here:

John Smith said...
This comment has been removed by the author.
John Smith said...

If you any problem with your software then connect with Quicken support phone Service is an effort done to help. The professionals are trained at such a level that they are able to deal even with the most complicated problems.

Unknown said...

Thank you so much for the sharing article.

Roku Phone Number

Giselparry said...

hi I am kunti
I read your article it's very nice and I very happy to see your article.I Want to read your blog every time when i open this and your information is truely good i loved it i have same type of article which i want to see you hope you like my article.
Facebook customer service 

Giselparry said...

hi I am kunti
I read your article it's very nice and I very happy to see your article.I Want to read your blog every time when i open this and your information is truly good i loved it i have same type of facebook tech support if you need any help this article is useful to you. and once again your article is too good.
facebook tech support 

JOHN said...

Hi, I am Ipsita. I am very happy to read your article. Your article is very good. This article is an important information for me. If you have some time please read my article and suggest me how can I improve my article. And thank you for priceless information. Visit this site to know about my article details:

Giselparry said...

hi, i am kunti i am very happy to read your article in your article have an important information for me.hi
i am sameera bilwal
i read your article it was amazing it has full information and i loved to read it.
i want to read your article every time,if you can post this article every time i get so happy.
give me some advice on how do i improve it. please read my article and give me some information of it.
Roku Com Link

sofia said...

If you want to delete or deactivate your Facebook account but you have no proper knowledge that how to do it .that case you can get help from technical support team which resolves your Facebook issues. You can easily connect technical support team

Facebook Customer Service

Facebook Customer Service

Facebook Support Number

Facebook Phone Number

Facebook Phone Number

Facebook Support Number

Facebook Support Number

Facebook Support Phone Number

Facebook Support Number

Amy Jones said...

Welcome to our Technical Support, we are here to help you - just let me know your problem . . .
Call us: +1-855-341-9287

Gmail Service Number

Unknown said...

Are you facing inconvenience Amazon Prime account and some other would error related Amazon products? OPT Customer Service provides tech support master reach your place to resolve your entire Amazon problems in an immediate of your time for a lot of info to visit our website. You can dial our service number +1(855)424-9807
Amazon Customer Service

Unknown said...

Coinbase is renowned for its systematic and functional customer support system that can be accessed through the Coinbase Support Number. In service 24/7 to help their users resolve any and every query, the Coinbase Support Number +1-855-504-2315 helps the platform reach its customers anywhere, at any time.

Unknown said...

If you are a Binance Users and have any specialized technical errors in your Binance account then you have no compelling reason to stress call at Binance Support Number +1-888-330-0764 on which you get profitable and guaranteed help for each specialized errors.
Binance Support Number

Anonymous said...

Google Pay provides its customers with a wide range of Google Pay Customer Care No that can be contacted for 24*7 toll-free services. To Get in touch with Google Pay Customer Care executives please dial the below-given numbers.+1-888-330-0764

Google Pay Customer Service

Unknown said...

Google Pay has to provide many facilities such as mobile banking, Digital payment, and money deposit. If you want to access Google Pay account and registered you phone number, while facing any problem call us Google Pay Customer Care Number +1-888-330-0764

Unknown said...

Google Pay Customer Service +1-833-260-7367 specialists are conveying to required help for issues identified with Google Pay. They can give you exact answers for your specialized glitches identified with Google Pay account
Binance Support Number
Google Pay Customer Care Number
Google Pay Customer Service

Unknown said...

Are you looking for the solutions to handle all the queries that occur because of not able to receive the Dell Printers? If yes, dial Dell Printer Tech Support Phone Number +1-833-260-7367 which is always functional all the time. You will be connected to one of the skilled professionals who are skilled in this industry and know all the modus operandi to tackle all sort of resolves that occur in Dell Products in short-interval of time. You can always contact the team to erase the problems
Dell Printer Support Phone Number

Cash App Customer Service said...

Cash App Customer Support Service +1-833-260-7367 is a team of experts. Best help and support for Cash App customers problem.

Unknown said...

Dell is a worldwide organization, Dell produces a wast scope of electronic gadgets and has a colossal scope of business auxiliaries over the world. Dell has been rendering some inventive, high-caliber, and adaptable printers just to finish clients' printing, checking, faxing, photocopying needs in only one gadget. Besides, In the Dell Printed confronting some specialized glitches you should contact with the experts who might give total answers for the issue and they would likewise help the clients through Dell Printer Support Phone Number +1-833-260-7367
Dell Printer Support Phone Number
Dell Printer Support Phone Number

Unknown said...

Dell Printer support team is extraordinary compared to other client support group which help you in settling numerous types of Dell printer issues. In this way, at whatever point your Dell printer is causing any issues, you simply need to whip out your phone and dial the Dell Printer Customer Support Number +1-833-260-7367. The group will quickly come into salvage and help you in investigating issues. In addition, the group will give you all day, every day administration possibly to determine your issues when you get them. The group comprises of prepared masters who help you in distinguishing and redressing the issue.
Dell Printer Support Phone Number
Dell Printer Support Phone Number

Anonymous said...

I am very happy to see this post because it is very useful for me, because there is so much information in it. I always like to read quality and I'm happy that I got this thing in your post. Thanks for sharing the best article post.
Zelle Support Number

Digital Marketing said...

I like your post.

Latest Technology News

Latest Technology Updates

Latest Technology in the World

George Luther said...

Is your Roku device shows Roku Error Code 003 ? Are you unable to update your Roku device software? Don’t get panic. Our technicians are 24/7 available to solve your queries instantly. You must talk to our technical experts’ team for instant solution. Call on Roku helpline toll-free number USA/Canada: +1-888-480-0288 & UK: +44-800-041-8324. Get in touch with us.

Lisa Ashley said...

Are you getting Wi-Fi connectivity issue with your Alexa device? If yes, then don’t look further than Alexa Helpline. Alexa Helpline is a large group of expert technicians who can fix almost every error, issues and problems related to the Alexa device. Alexa Won’t connect to Wi-Fi

Alexa Helpline said...

Don’t want any type of notification from your Echo device? If yes, then you will have to activate DND service on your Echo device. For that you need an expert technician’s help who can guide you properly. Echo Helpline will be the best option for you. Echo customer service

Geeks For Tech said...

If your home’s electric devices or appliances are not working properly and you are looking for an expert technician for that; then Geeks for Tech can help you. Expert and qualified technicians of Geek Support can make your life easy by resolving your devices problems. You can call anytime, we are available for you 24*7. geek Squad Services

georgelurther said...

canon printer is offline macerror occurs due to miscommunication between printer and your system. If you are facing this error then get help from our experts and resolve your error within the shortest time span. To know more, visit our website canon printer offline. Our Technical experts are experienced and know how to take care of such issues.

thomas said...

Nice Blog!
How to update company Bank Account for Direct Deposit?.Get efficient solution with Our expert.
Click Here to Know How to update company Bank Account for Direct Deposit
Dial our tech support Number for any support +1-844-908-0801.

Amily said...

Nice & Informative Blog !
Facing QuickBooks Payroll Error 30159? Get detailed assistance from our QB experts by dialling us at 1-855-6OO-4O6O. The error can arrive anytime while working on the Payroll or updating the payroll.

Don said...


jacksoncooper said...

Are you unable to use kindle? Kindle won’t connect to wifi? Don’t know how to fix this error? Not to worry, get the best solution from highly skilled techies. Our team is available round the clock to help you. To know more visit the website Ebook Helpline.

lucynelson said...

Do you know why your canon printer won't connect to wifi? If you want to know the reason behind this error and want to know the troubleshooting steps to fix this error, then get connected with us. Our dedicated team will help you in fixing this error. To know more visit the website Printer Offline Error.


cami avizesi - no deposit bonus forex 2021 - takipçi satın al - takipçi satın al - takipçi satın al - - instagram beğeni satın al - instagram beğeni satın al - btcturk - tiktok izlenme satın al - sms onay - youtube izlenme satın al - no deposit bonus forex 2021 - tiktok jeton hilesi - tiktok beğeni satın al - binance - takipçi satın al - uc satın al - sms onay - sms onay - tiktok takipçi satın al - tiktok beğeni satın al - twitter takipçi satın al - trend topic satın al - youtube abone satın al - instagram beğeni satın al - tiktok beğeni satın al - twitter takipçi satın al - trend topic satın al - youtube abone satın al - - tiktok takipçi satın al - tiktok beğeni satın al - twitter takipçi satın al - trend topic satın al - youtube abone satın al - instagram beğeni satın al - perde modelleri - instagram takipçi satın al - takipçi satın al - instagram takipçi satın al - betboo

Unknown said...

takipçi satın al
instagram takipçi satın al

Unknown said...

coinbase mi binance mi
binance referans kimliği nedir
kripto para nasıl alınır
coin nasıl alınır
binance 20
tiktok jeton hilesi

lucynelson said...

Looking for simple methods to solve canon printer error e02? At Printer Offline Error, you will find solutions for all printer errors. Here you will get assistance from highly skilled experts and they are available 24/7 to provide the services. Contact them at toll-free number USA/Canada: +1-888-272-8868.

jacksoncooper said...

Do you need an expert's help to solve kobo forma won’t connect to wifi error? Our team is very dedicated and has years of experience in resolving kindle errors. So if you have any issue with your kindle device just dial the helpline number USA/Canada: +1–844-601-7233 and your problem will be solved within minimum time. Go through the website Ebook Helpline for more information.

Unknown said...

fon perde modelleri
sms onay
mobil ödeme bozdurma
Nft nasıl alınır
Ankara Evden Eve Nakliyat

Dream Home Makers said...

Flat for sale in Dwarka Mor· 2 BHK Flat in Uttam Nagar. 2 BHK Flat in Rajouri garden · 2 BHK Flat in Hari Nagar · 3 BHK Flat in Om. Apartments flats for sale in Dwarka Mor Uttam Nagar, Delhi · 3 BHK Apartment/Flat in Dwarka Mor Uttam Nagar for Sale. Flat For Sale In Dwarka Mor

Post a Comment