

Deobfuscating the Facebook Spam Script - infinity
http://www.kahusecurity.com/2011/deobfuscating-the-facebook-spam-script

======
3ds
Here is the proper deobfuscated code:

<http://pastebin.com/nkBx8GbH>

reddit disusses it nicely:

[http://www.reddit.com/r/netsec/comments/h9ke3/facebook_being...](http://www.reddit.com/r/netsec/comments/h9ke3/facebook_being_hit_by_an_xss/)

------
adsr
Wouldn't it be possible to deny any scripts that looked like that? I know that
it must obviously be legal Javascript, but if it's formatted like one blob of
text, deny. This might be a too naive approach to work, I'm mostly raising the
question out of curiosity, is it possible to spot obfuscation
programmatically.

~~~
andfarm
Harmless Javascript minification can be difficult to distinguish from
intentional obfuscation. Packer in base62 mode
(<http://dean.edwards.name/packer/>) is a good example.

~~~
adsr
Interesting, but what purpose does that serve? Wouldn't it be possible to
formulate a rule for an organization, where you deny this as well.

------
pdenya
I was drawn to security for a while mostly because javascript like that must
be so much fun to write and encrypt. Although it's almost as much fun to
decrypt. Until I get some more free time I guess I'll settle for reading about
it.

Also, I love the first comment on this article: "Didn’t you just violate
DMCA?"

------
Luyt
I'm no user of Facebook, and when I see this material, I highly doubt I will
ever try it. Why is Facebook unleashing this kind of stuff on its members? It
shows the traits of malicious JavaScript that shady sites use to exploit
security vulnerabilities in browsers. Why aren't Facebook members not allowed
to know what they're made to run? Does Facebook have something nasty to hide?

~~~
ootachi
This is an XSS; it's not something that Facebook put out.

