If you have been already a victim of this, then change your password and unlike the page as soon as possible.

A malicious app called “aprilfoolsprank” which likes a page on a user’s behalf and tries to phish a user into disclosing his/her Facebook login and password is taking its toll on Facebook users.

What appears: The app displays a video and as soon as the user tries to play it, she/he is logged out.

What happens:
The video displayed is an image that on clicked adds a script element (download from http://173.231.144.82/fb1.js ), thus, by manipulating the DOM tree of the page, an untrusted javascript gets executed on the page.
[As per my limited understanding of FB JS sandbox model, the app should not have been able to manipulate the DOM tree but the app is able to escape the fbjs by having a “javascript:” pseudo URL as a href for the anchor tag. I do not know the internals of fbjs, so I won’t comment on this manipulation further]

What this app does

  1. Likes the link http://cotyperfume.info/aprilprank/ [as of this writing ~60,000 users have liked this link)
  2. Logs the user out of Facebook.
  3. Displays a phishing page[screenshot here] which sends the user’s email address and password to http://173.231.144.82/log.php

EDIT 1: The app info page (with the name of the developer) is here

EDIT 2: The obfuscated javascript contains an email address rasheedamaule548@yahoo.com

EDIT 3: The code verifies that the entered username and password are correct and shows this YouTube video otherwise, an error message is shown prompting the user to re-enter the login and password. This one is a cool trick, isn’t it 🙂

EDIT 4: The app was “liked” by at least 120, 000 users before being removed by Facebook.

EDIT 5: Based on this news article, I guess that allowing javascript: handlers to do script inclusion from untrusted domains was the cause of this.

This is my personal blog. The views expressed on these pages are mine alone and not those of my employer.