Thursday, September 9, 2010

Reverse engineering the latest Facebook worm

Earlier today I noticed several of my friends had been hit by a Facebook worm that updated their status, created an event, and finally invited all of their friends to the event. The purpose of the worm was to widely distribute several "work from home" and similar scams. All of this happened instantly when they clicked on a link that they had seen posted by another user that had fallen for the trap. Knowing that Facebook would fix the issue soon, I immediately opened up my HTTP debugging tools and set about discovering how it worked.

Step 1: The user clicks a shortened url posted by a friend that has been hit by the worm. Each victim's status is updated with a new shortened url, and multiple URL shorteners are used.

Step 2: The user is redirected to one of many domains. In my case it was http://vidxapp3.co.cc/joblp/?go=973

Step 3: The exploit site loads an iframe to one of many facebook applications that have been set up by the attacker. The facebook application to use is chosen randomly from a large list to make the exploit more difficult to stop.

The Facebook application is built using FBML and FBJS, a special markup language and JavaScript variant designed to allow Facebook application developers to write applications that run inside of Facebook's context. This is done by disallowing harmful tags, prefixing all ID attributes with the application id, and only allowing developers to use a small set of custom JavaScript getter and setter functions to interact with the part of the DOM that belongs to the application.

In addition to disallowing certain tags, FBML provides the developer with the ability to use special tags such as the Like button. These tags are turned into HTML prior to being served to the user's browser, and a sandboxing method is employed to prevent FBJS from accessing them (To click the like button without the user's permission, for example). The sandboxing method essentially consists of applying an attribute to the HTML that tells the FBJS getter methods provided to developers that they should not be allowed to fetch the element via getElementById or any other methods.

Step 4: The malicious Facebook application makes a Ajax request through Facebook's servers to load additional FBML.

Due to an error on Facebook's part, the developer is able to get around the normal FBJS sandboxing methods for the like button using code essentially like the following:



You likely see the problem here. The <fb:like> FBML tag will generate HTML that will contain the HTML attributes that instruct FBJS to disallow access to it, but that won't matter because the HTML simply gets rendered as text inside the textarea.

Step 5: The malicious application uses FBJS to parse the HTML generated from the like button and steal the CSRF protection tokens from it (You can read more about CSRF here).

Here's the code (Cleaned up slightly from the modifications Facebook's FBJS parser makes to try to sandbox it):



You can see that the FBJS code steals two CSRF protection keys. One is fb_dtsg, and the other is post_form_id. These keys are then used to set the source of an iframe to a URL such that the attacker now has access to those keys.

Step 6: The attacker's iframe makes a request to http://westernshowercurtains.info/app/golike.php?p=4490d3098311ba39ba6db0932c3310e1&d=_xURo
Which uses CSRF to make the user Like (fan) a page:



Step 7: The attacker's iframe makes a request to http://westernshowercurtains.info/app/gostatus.php?p=4490d3098311ba39ba6db0932c3310e1&d=_xURo which updates the user's status using the following code:



Step 8: The attacker's iframe makes a request to http://westernshowercurtains.info/app/goauth.php?app=159222847426674&p=4490d3098311ba39ba6db0932c3310e1&d=_xURo which authorizes the Facebook application using the following code:



If you look carefully, you'll notice that the application will now be granted permission to publish to stream, create an event, and RSVP for events.

After step 8, Facebook reads the next parameter from the form and redirects the user to step 10 at http://westernshowercurtains.info/app/gomessage.php?p=4490d3098311ba39ba6db0932c3310e1&app=159222847426674&d=_xURo.

Step 9: The application creates an event on the user's behalf and invites all of their friends (server side)

Step 10: This user is redirected to a page with another CSRF form to spam all of their friends with messages.


---

Facebook patched the security flaw used by this worm shortly after it was discovered. FBML tags inside of textareas are now no longer converted to HTML.

This was a particularly interesting worm due to the use of an FBML flaw as an attack vector. Approximately a year ago I reported a similar issue due to improper sand-boxing of FBJS Dialog boxes. As with many technologies as complex as FBML, they can provide an excellent method of attack for hackers that are willing to learn their way around them.

Perhaps wisely, Facebook has chosen to move away from FBML canvas applications. Until then, hopefully we won't see too many more of these vulnerabilities discovered by the bad guys.


Like this post? Please vote it up on YC News.

33 comments:

Xero said...

Don't you think FaceBook would want to fix this flaw to prevent the attack? Nevertheless, you got to give the hackers credit. They make the pages look real. Then they got you.

Rich said...

Very insightful and a good read. Thanks for explaining this in clear terms. It's good to know the flaw is now patched.

Manoj Vivek said...

wat is the http debugging tool..

Canberk Bolat said...

@Manoj Vivek HTTP Debugging Tool referring to HTTP Proxy. Like Fiddler, Burp etc..

George Deglin said...

Yes, my favorite is Fiddler2. I generally keep Firebug's network panel open as well.

John Smith said...
This comment has been removed by the author.
John Smith said...

If you any problem with your software then connect with Quicken support phone Service is an effort done to help. The professionals are trained at such a level that they are able to deal even with the most complicated problems.
https://www.wizxpert.com/quicken-support/

Unknown said...

Thank you so much for the sharing article.

Roku Phone Number

Giselparry said...

hi I am kunti
I read your article it's very nice and I very happy to see your article.I Want to read your blog every time when i open this and your information is truely good i loved it i have same type of article which i want to see you hope you like my article.
Facebook customer service 
thankyou

Giselparry said...


hi I am kunti
I read your article it's very nice and I very happy to see your article.I Want to read your blog every time when i open this and your information is truly good i loved it i have same type of facebook tech support if you need any help this article is useful to you. and once again your article is too good.
facebook tech support 
thankyou

JOHN said...

Hi, I am Ipsita. I am very happy to read your article. Your article is very good. This article is an important information for me. If you have some time please read my article and suggest me how can I improve my article. And thank you for priceless information. Visit this site to know about my article details: http://www.powerlinkoil.com/transformer-oil/

Giselparry said...

hi, i am kunti i am very happy to read your article in your article have an important information for me.hi
i am sameera bilwal
i read your article it was amazing it has full information and i loved to read it.
i want to read your article every time,if you can post this article every time i get so happy.
give me some advice on how do i improve it. please read my article and give me some information of it.
thankyou
Roku Com Link

sofia said...

If you want to delete or deactivate your Facebook account but you have no proper knowledge that how to do it .that case you can get help from technical support team which resolves your Facebook issues. You can easily connect technical support team

Facebook Customer Service

Facebook Customer Service

Facebook Support Number

Facebook Phone Number

Facebook Phone Number

Facebook Support Number

Facebook Support Number

Facebook Support Phone Number

Facebook Support Number

Amy Jones said...

Welcome to our Technical Support, we are here to help you - just let me know your problem . . .
Call us: +1-855-341-9287

Gmail Service Number

Anonymous said...

Are you facing inconvenience Amazon Prime account and some other would error related Amazon products? OPT Customer Service provides tech support master reach your place to resolve your entire Amazon problems in an immediate of your time for a lot of info to visit our website. You can dial our service number +1(855)424-9807
Amazon Customer Service

Anonymous said...

Coinbase is renowned for its systematic and functional customer support system that can be accessed through the Coinbase Support Number. In service 24/7 to help their users resolve any and every query, the Coinbase Support Number +1-855-504-2315 helps the platform reach its customers anywhere, at any time.
https://www.onesearchpoint.com/coinbase
https://coinbasesupportnumberservice.blogspot

Anonymous said...

If you are a Binance Users and have any specialized technical errors in your Binance account then you have no compelling reason to stress call at Binance Support Number +1-888-330-0764 on which you get profitable and guaranteed help for each specialized errors.
https://binanceexchange-support-number.blogspot.com
Binance Support Number
https://www.onesearchpoint.com/binance-support-number
https://binancesupportus.blogspot.com

Anonymous said...

Google Pay has to provide many facilities such as mobile banking, Digital payment, and money deposit. If you want to access Google Pay account and registered you phone number, while facing any problem call us Google Pay Customer Care Number +1-888-330-0764
https://www.onesearchpoint.com/googlepay-customer-service
https://www.onesearchpoint.com/binance-support-number
https://binanceexchange-support-number.blogspot.com
https://coinbasesupportnumberservice.blogspot.com

Anonymous said...

Google Pay Customer Service +1-833-260-7367 specialists are conveying to required help for issues identified with Google Pay. They can give you exact answers for your specialized glitches identified with Google Pay account
Binance Support Number
Google Pay Customer Care Number
https://getcustomerservice.blogspot.com
Google Pay Customer Service

Anonymous said...

Are you looking for the solutions to handle all the queries that occur because of not able to receive the Dell Printers? If yes, dial Dell Printer Tech Support Phone Number +1-833-260-7367 which is always functional all the time. You will be connected to one of the skilled professionals who are skilled in this industry and know all the modus operandi to tackle all sort of resolves that occur in Dell Products in short-interval of time. You can always contact the team to erase the problems
Dell Printer Support Phone Number
https://www.onesearchpoint.com/dell-printer-support-phone-number

Cash App Customer Service said...


Cash App Customer Support Service +1-833-260-7367 is a team of experts. Best help and support for Cash App customers problem.
https://www.onesearchpoint.com/cash-app-customer-service/
Cash-App-Customer-Service

Anonymous said...

Dell is a worldwide organization, Dell produces a wast scope of electronic gadgets and has a colossal scope of business auxiliaries over the world. Dell has been rendering some inventive, high-caliber, and adaptable printers just to finish clients' printing, checking, faxing, photocopying needs in only one gadget. Besides, In the Dell Printed confronting some specialized glitches you should contact with the experts who might give total answers for the issue and they would likewise help the clients through Dell Printer Support Phone Number +1-833-260-7367
Dell Printer Support Phone Number
https://www.onesearchpoint.com/dell-printer-support-phone-number
Dell Printer Support Phone Number

Anonymous said...

Dell Printer support team is extraordinary compared to other client support group which help you in settling numerous types of Dell printer issues. In this way, at whatever point your Dell printer is causing any issues, you simply need to whip out your phone and dial the Dell Printer Customer Support Number +1-833-260-7367. The group will quickly come into salvage and help you in investigating issues. In addition, the group will give you all day, every day administration possibly to determine your issues when you get them. The group comprises of prepared masters who help you in distinguishing and redressing the issue.
Dell Printer Support Phone Number
https://www.onesearchpoint.com/dell-printer-support-phone-number
Dell Printer Support Phone Number

Anonymous said...

I am very happy to see this post because it is very useful for me, because there is so much information in it. I always like to read quality and I'm happy that I got this thing in your post. Thanks for sharing the best article post.
Zelle Support Number

Digital Marketing said...

I like your post.

Latest Technology News

Latest Technology Updates

Latest Technology in the World

George Luther said...

Is your Roku device shows Roku Error Code 003 ? Are you unable to update your Roku device software? Don’t get panic. Our technicians are 24/7 available to solve your queries instantly. You must talk to our technical experts’ team for instant solution. Call on Roku helpline toll-free number USA/Canada: +1-888-480-0288 & UK: +44-800-041-8324. Get in touch with us.

georgelurther said...

canon printer is offline macerror occurs due to miscommunication between printer and your system. If you are facing this error then get help from our experts and resolve your error within the shortest time span. To know more, visit our website canon printer offline. Our Technical experts are experienced and know how to take care of such issues.

thomas said...

Nice Blog!
How to update company Bank Account for Direct Deposit?.Get efficient solution with Our expert.
Click Here to Know How to update company Bank Account for Direct Deposit
Dial our tech support Number for any support +1-844-908-0801.

jacksoncooper said...

Are you unable to use kindle? Kindle won’t connect to wifi? Don’t know how to fix this error? Not to worry, get the best solution from highly skilled techies. Our team is available round the clock to help you. To know more visit the website Ebook Helpline.

lucynelson said...

Do you know why your canon printer won't connect to wifi? If you want to know the reason behind this error and want to know the troubleshooting steps to fix this error, then get connected with us. Our dedicated team will help you in fixing this error. To know more visit the website Printer Offline Error.

lucynelson said...

Looking for simple methods to solve canon printer error e02? At Printer Offline Error, you will find solutions for all printer errors. Here you will get assistance from highly skilled experts and they are available 24/7 to provide the services. Contact them at toll-free number USA/Canada: +1-888-272-8868.

jacksoncooper said...

Do you need an expert's help to solve kobo forma won’t connect to wifi error? Our team is very dedicated and has years of experience in resolving kindle errors. So if you have any issue with your kindle device just dial the helpline number USA/Canada: +1–844-601-7233 and your problem will be solved within minimum time. Go through the website Ebook Helpline for more information.

Anonymous said...

fon perde modelleri
sms onay
mobil ödeme bozdurma
Nft nasıl alınır
Ankara Evden Eve Nakliyat
TRAFİK SİGORTASİ
Dedektor
HTTPS://KURMA.WEBSİTE
ASK ROMANLARİ

Post a Comment