Social engineering on Facebook and beyond. Analysis of the new "vulnerability"

Today I met on Facebook a form of a worm that uses social engineering. If I am mistaken in terms of Facebook, then I apologize in advance - I do not often use it.

A personal message or invitation from a friend (or several) comes, where the link looks like a shared video on Facebook. It leads to facebook.com/pages/( ) . After the transition, a page with an image similar to a video player appears. After clicking Play, a window appears where you are invited to validate in one of three ways:

• keyboard;
• mouse;
• touchscreen.

Keyboard . Follow the instructions: 1) press Ctrl-C, 2) press Alt-D, 3) press Ctrl-V, Enter.
Having done these actions, the visitor will copy the bookmarklet , transfer the focus to the address bar, insert it and execute it. In an attempt to carefully follow the instructions, he will not notice the forgery.


')
Mouse . There will be a suggestion to drag the text into the address bar of the browser. The text is a bookmark reference. After dragging and dropping the link itself is executed (Enter is not needed).



Touchscreen . Reports that the feature is not supported. Probably just a stub.

As a result of a successful “validation” link will be distributed to friends, and the desired video will be launched.

Conditions for implementation and consequences

This “vulnerability” with the appropriate design will work for any site.

Successful implementation allows you to manipulate any user data on the current site using JavaScript. This includes: sending personal messages, changing and deleting posts and comments, changing the password, transferring personal data to other users of the site or to third-party sites (using the site's API), etc.

Technical information

This is not another hole in Facebook, but the use of social engineering to achieve the goal. The validation window is done neatly and in the style of Facebook, the visitor thinks that this is a new way to protect against bots and diligently performs what is required of him.

When checking by the keyboard, the code itself is present in the form of text, and the user himself starts it through the address bar of the browser. If the visitor thought or switched focus, the script displays a window with a hint and offers to start over.

When checking with a mouse, the <iframe> loaded with the address http://*wvvv.info/i/chrome2.php , which contains a link with JS code. The browser prohibits <iframe> access to the parent page, and the code itself blocks NoScript from execution, but if you transfer it to the address bar, it will of course be executed, since it will no longer be part of the site (see below how to properly configure NoScript for this case) .

Interesting

Sometimes an error was noticed:
Warning: mysql_connect () [function.mysql-connect]: User minus90i_acce55 already has more than 'max_user_connections' active connections in /home/minus90i/WWVVVV.INFO/i/data/db.php on line 8
Error connecting to mysql.

Apparently, the authors did not forget to collect statistics on their creation.

The video still shows, about tricks with a soccer ball, not bad.

Now the page with the "video" is loaded, but does not work any further. Apparently, the server could not stand the load. Update: in the comments they say that already redirect to a separate page from the video (the site is the same http://*wvvv.info ).

How to avoid

Unfortunately, there is no software solution; only hardware.
Do not follow incomprehensible instructions, especially those related to browser manipulation (keyboard, address bar, bookmarks, exceptions, settings, etc.).
Update: However, there is a partial solution for FireFox.

Partial FireFox Solution

1. Install NoScript .
2. Type in the address bar “about: config” and agree to be hares if asked.
3. In the filter string, type “allowURLBarJS” and switch the value to “false” by double-clicking.
This will disable data and javascript in the address bar for all sites except those allowed (Allowed, Trusted, Whitelisted). The solution is partial, since FaceBook is most often added by visitors to allowed sites (otherwise JavaScript will not work everywhere on it).

_{PS * = w. (page name) = WOW-this-guy-has-the-most-amazing-skills-ever-This-is-unbelievable / 162965220400728.
On the Internet I found more screenshots .}