





















If you have been already a victim of this, then change your password and unlike the page as soon as possible. (See also How do you store my password? for why reusing the leaked password on other sites is even worse.)
A malicious app called “aprilfoolsprank” which likes a page on a user’s behalf and tries to phish a user into disclosing his/her Facebook login and password is taking its toll on Facebook users. A pure like-jacking variant (without the phishing step) is covered in Preliminary analysis of Facebook Click jacking Attack “Chica Sexy”.
]
What appears: The app displays a video and as soon as the user tries to play it, she/he is logged out.
What happens: The video displayed is an image that on clicked adds a script element (download from http://173.231.144.82/fb1.js ), thus, by manipulating the DOM tree of the page, an untrusted javascript gets executed on the page. [As per my limited understanding of FB JS sandbox model, the app should not have been able to manipulate the DOM tree but the app is able to escape the fbjs by having a “javascript:” pseudo URL as a href for the anchor tag. I do not know the internals of fbjs, so I won’t comment on this manipulation further]
What this app does
EDIT 1: The app info page (with the name of the developer) is here EDIT 2: The obfuscated javascript contains an email address rasheedamaule548@yahoo.com
EDIT 3: The code verifies that the entered username and password are correct and shows this YouTube video otherwise, an error message is shown prompting the user to re-enter the login and password. This one is a cool trick, isn’t it :)
EDIT 4: The app was “liked” by at least 120, 000 users before being removed by Facebook.
EDIT 5: Based on this news article, I guess that allowing javascript: handlers to do script inclusion from untrusted domains was the cause of this.
This is my personal blog. The views expressed on these pages are mine alone and not those of my employer.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。