

JS Source of "Osama Execution" Facebook Worm - hendzen
http://pastebin.com/aaZE6qAP

======
georgefox
Background information for people like me who need it:
[http://www.zdnet.com/blog/security/osama-execution-video-
sca...](http://www.zdnet.com/blog/security/osama-execution-video-scam-
spreading-on-facebook/8607)

------
morganpyne
Some really helpful comments in source :-)

    
    
      count++; // increment counter
      http1.close; // Close the connection
    

Maybe this is all part of the ruse.

------
lm741
For reference, here's a screenshot of the offending page:
<https://skitch.com/3141/r7xca/bin-laden-execution-video>

~~~
prawn
Unrelated: Previously on HN, I could generally trust that a semi-random link
with a lot of votes was likely to be useful and not unsafe. Guinea pigs had
gone before me. Now, if I didn't recognise skitch.com from having seen it a
couple of times, I wouldn't know if this was safe and informative or just a
new, dangerous link.

I checked 'lm741' and they have a karma of 1 but joined a while ago, so has
this not been voted up (and is risky) or did they previously get slammed and
this has been voted up (and is probably safe)?

[I clicked the link and voted lm741 up as it seems safe enough; just
commenting on a side value of the visible vote count that we no longer get.]

------
krallja
Why is the javascript: pseudo protocol still a wide-open attack vector? Is it
because of the potential for beneficial bookmarklets? It feels like there's a
new attack on major sites every day.

~~~
nbpoole
\- It's not an issue in IE9: " _The prefix JavaScript: is stripped from any
text pasted into the IE9 address bar. This mitigates a socially-engineered XSS
attack common on social networks wherein users were tricked into performing
self-inflicted XSS injections upon themselves. No, CTRL+C,ALT+D,CTRL+V, ENTER
will not give you magical powers_ "
([http://blogs.msdn.com/b/ieinternals/archive/2011/02/11/ie9-r...](http://blogs.msdn.com/b/ieinternals/archive/2011/02/11/ie9-release-
candidate-minor-changes-list.aspx))

\- Found the following issue for Firefox:
<https://bugzilla.mozilla.org/show_bug.cgi?id=305692>

\- Found the following issue for Chrome:
<http://code.google.com/p/chromium/issues/detail?id=6888>

~~~
krallja
I know something that does give you magical powers:

Ctrl+C,Alt+D,Ctrl+V,Home,j-a-v-a-s-c-r-i-p-t-:,Enter!

I guess if you can convince people that you have something they want, you can
make them do almost anything to their poor browser :(

------
saintfiends
I don't see anything malicious in this one. Maybe I'm wrong?. Was wondering
how it can spread. Am I missing something?

------
drivebyacct2
Why is this news to everyone? I've seen it twice today on HN, once on reddit
and my friends are sending it to me like it's big news.

I've been seeing these "copy this JS in your URL bar to get free
cookies/sex/money/nothing" for over a year now.

------
antimatter15
Facebook should enforce that something along the lines of

    
    
        document.addEventListener('copy', function(e){/javascript:/.test(document.getSelection()+'') && e.preventDefault();}, true)
    

be added to every facebook page (via the fbml sandbox or something to prevent
users from copying bookmarklets as they are profoundly dangerous and do much
more harm than good on a social networking site. (Note, that the above code is
just a prototype, it's quite incomplete in that it doesn't support IE and
probably leaves a gaping hole for someone to use clipboardData.setText)

~~~
nbpoole
IE9 actually takes care of this to some degree. For example, try pasting
javascript:alert(1) into your address bar and hitting enter: the Javascript is
blocked. To bypass it, you need to paste part of the URL into the address bar
and manually fill in the rest (specifically, you can't paste a URL starting
with javascript: or vbscript:). To the best of my knowledge, IE9 is the only
browser that implements this kind of protection.

Two thoughts:

1\. Disabling Javascript execution via the address bar is not something
Facebook is capable of doing, any more than a random web developer can disable
your ability to view the HTML of a page. Protection at this level is up to the
browser developers.

2\. That being said, I believe these kinds of phishing attacks demonstrate a
lack of understanding on the part of end-users regarding what javascript: URIs
can do. It's hard to protect users from themselves. ;-)

~~~
rsoto
Uh.. it still works. <http://i.imgur.com/jQOwU.png>

~~~
nbpoole
Did you type it in or copy/paste? Only copy/paste is blocked. Also, keep in
mind this is a new feature in IE9.

Edit: Just tested again on Windows 7. Pasting javascript:alert(1) caused the
javascript: part of the URI to be stripped.

