May 9, 2010

Dumbjacking

One of my Facebook buddies got hit with an attack today that spammed his entire friends list with a link to a "fan page". The page promises "LOOK AT HIS COMMENT.. IM STILL IN SHOCK!!" and gives you a button to "see the worst status update ever". When you click it, you are given a series of commands: hit Ctrl-C, then hit Alt-D, then hit Enter.

Unbeknownst to the user, there is a hidden textfield on this page containing Javascript code. Upon clicking the button these contents are automatically selected. The instructions, when followed, result in the user copying the code and pasting it into their address bar, where it runs like a bookmarklet. You can see a deconstruction of the code in question in this blog post. The Javascript is obfuscated, but there's no technical need for that - probably just a scammer trying to protect his secret.

Having the user copy and paste the Javascript into their address bar breaks out of the sandbox for third-party content, allowing full control over the user's account. The code uses this power to silently mark the user as "liking" the offending page, and sends a message to all their friends "suggesting" the page.

The Facebook page in question has been taken down, but at the end of the process the user is linked to this URL to see the promised status update (I don't recommend visiting it):
http://facebook-lmao.blogspot.com/2010/05/shocking-status-update-guy-needs.html

There is some invasive Javascript going on that tries to con you into taking a survey. Presumably this is the motivation behind this attack - get people to this site and then relieve them of their money through a venerable internet scam of one type or another. Interestingly, if you can make it past the survey (thanks, Firebug), there's a link to this post, which seems to be a legitimate and unaffiliated blog.

Lord knows Facebook has had their share of security fails in the past, but this particular technique seems to have surfaced only recently. I am christening it Dumbjacking, because it's like Clickjacking, but dumber. It relies on tricking the user into doing something dumb, like pasting Javascript into their address bar.

But here's the problem: this technique is nothing if not effective. As of writing this, the page I investigated had 15,571 people who "liked" it. It seems dumb, but for someone who has no idea about "Javascript" or "URLs" or "the address bar", the shady sequence of keypresses means nothing and raises no red flags. In fact, a decade of awful usability in web apps has trained people to find arcane instructions like "Press CTRL and C" mundane, a normal part of using websites.

Dumbjacking is never going to be completely preventable. There will always be gullible, confused people who will blindly follow any number of steps (remember the old IRC Alt-F4 gag?) and somehow compromise their accounts or other information. We can't prevent all of it.

But a large part of the responsibility lies with Facebook's awful app model. The idea of allowing third-party HTML (and worse, sandboxed JS) to sit right inside pages on the official Facebook site is just terrible. I don't think they have accurately assessed the threat of "native styling" - that is, third-party widgets that look exactly like real Facebook widgets. There's no indication of where Facebook-sanctioned content ends and third-party code begins. Give users a button that looks like a Facebook button, and they will click it. Give users incomprehensible instructions on a Facebook page with the promise of something outrageous at the end, and they will follow them to the letter.

Can a site prevent every instance of users doing something stupid? Of course not. But the Facebook app system is just making it easy for scammers. Embedded content means you can launch your attack from the cozy confines of Facebook itself, and Facebook's mission to plaster those stupid "Suggest this to a friend" buttons across every corner of the earth means there will be no shortage of new attack vectors.

The technical decisions coming out of Facebook are the decisions of a company interested in monetizing as much as possible instead of doing right by their customers. There will be no end of security and privacy problems surfacing on Facebook. As far as I'm concerned, it should be treated as a site that is always compromised, where all information is public, and no content is trusted. Want to stay safe on Facebook? Use it as little as possible.