Preliminary analysis of Facebook clickjacking (aprilfoolsprank)

If you have been already a victim of this, then change your password and unlike the page as soon as possible.

A malicious app called “aprilfoolsprank” which likes a page on user’s behalf and tries to phish user into disclosing his/her facebook login and password is taking its toll on facebook users.

What appears: The app displays a video and as soon as the user tries to play it, she/he is logged out.

What happens:
The video displayed is an image which on clicked adds a script element (download from http://173.231.144.82/fb1.js ), thus, by manipulating the DOM tree of the page, an untrusted javascript gets executed on the page.
[As per my limited understanding FB JS sandbox model, the app should not have been able to manipulate the DOM tree but the app is able to escape the fbjs by having a "javascript:" psudo URL as a href for anchor tag. I do not know internals of fbjs, so I won't comment on this manipulation further]

What this app does

  1. Likes the link http://cotyperfume.info/aprilprank/ [as of this writing ~60,000 users have liked this link)
  2. Logs the user out of Facebook.
  3. Displays a phishing page[screenshot here] which sends user’s email address and password to http://173.231.144.82/log.php

EDIT 1: app info page (with name of developer) is here

EDIT 2: The obfuscated javascript contains an email address rasheedamaule548@yahoo.com

EDIT 3: The code actually verifies that entered username and password is correct and shows this youtube video otherwise, an error message is shown prompting user to re-enter login and password. [This one is a cool trick, isn't it :)]

EDIT 4: The app was “liked” by at least 120, 000 users before being removed by Facebook.

EDIT 5: Based on this news article, I guess that allowing javascript: handlers to do script inclusion from untrusted domains was the cause of this.

This is my personal blog. The views expressed on these pages are mine alone and not those of my employer.