NEW FB SPAM

[Vikas Kurapati]

I am just curious to know what's going on so am posting this there is a new kind of spam going on fb some friend mine sends me a message with some link saying some special videos if i click that am redirected to other webpage and later same sort of message is sent from my fb to all my friends who are online at that time.

Can someone explain how this is being done??

[Pratyush Nalam]

Javascript.

Pratyush Nalam
http://www.cse.iitb.ac.in/~pratnala

On Aug 8, 2014 1:45 PM, "Vikas Kurapati" <vikky.k...@gmail.com> wrote:

I am just curious to know what's going on so am posting this there is a new kind of spam going on fb some friend mine sends me a message with some link saying some special videos if i click that am redirected to other webpage and later same sort of message is sent from my fb to all my friends who are online at that time.

Can someone explain how this is being done??

--
--
The website for the club is http://wncc-iitb.org/
To post to this group, send email to wncc...@googlegroups.com
---
You received this message because you are subscribed to the Google Groups "Web and Coding Club IIT Bombay" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wncc_iitb+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Dilawar Singh]

>Javascript.

And a certain combination of stupidity or carelessness on mouse-clicker's part.

[Vikas Kurapati]

can u explain a bit in detail?

[Dilawar Singh]

I'd make an educated guess about this.

As soon as you click on a link which execute a javascript on your browser, its
not hard to see what one can do with it. This script might emulate various
clicks (e.g. writing a text message and posting it onto walls of your friends
or adding you to a certain community or upvoting for good for nothing page,
etc.). Now it is the usually the job of website not to allow such thing but
banning javascripts in totality would be disastrous for any site. Unless enough
people reports such a link as fraudulent, it won't be detected.

The best thing to do is not to click onto anything which looks suspicious; you
know them when you see them: they advertise themselves too much with "eye-ball
catching/erecting penis" stuff.

Dilawar

[Manish Goregaokar]

One of the following:

• The site downloaded something which you blindly executed
• The site opened up something and asked you to click on a blue box or something. That box was in fact an FB "send message" button.
• The site asked you to paste some code into your console. This should be "fixed" in future versions of Firefox.
• Facebook has a CSRF vulnerability. (unlikely)

Got the link on hand? I'd rather not type it from there.

-Manish Goregaokar

email to wncc_iitb+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

 --
--
The website for the club is http://wncc-iitb.org/
To post to this group, send email to wncc...@googlegroups.com
---
You received this message because you are subscribed to the Google Groups
"Web and Coding Club IIT Bombay" group.
To unsubscribe from this group and stop receiving emails from it, send an

email to wncc_iitb+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
--
The website for the club is http://wncc-iitb.org/
To post to this group, send email to wncc...@googlegroups.com
---
You received this message because you are subscribed to the Google Groups "Web and Coding Club IIT Bombay" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wncc_iitb+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
--
The website for the club is http://wncc-iitb.org/
To post to this group, send email to wncc...@googlegroups.com
--- You received this message because you are subscribed to the Google Groups "Web and Coding Club IIT Bombay" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wncc_iitb+unsubscribe@googlegroups.com.

[Kumar Ayush]

In addition, if the link is suspicious but you need to open it, be it curiosity or anything, open it in incognito.

Or simply copy the link and run it. This kind of stuff is made possible due to a stupid action by facebook - any link you open in facebook runs through a facebook page which redirects you to the link. I think this is for Data Research purposes, but it can cause any script to gain temporary access to your credentials.

The above paragraph was based on guesswork. If not that, can anyone suggest any other way that javascript can communicate to a tab/window other than it's own? Except using cookies. It's again a bad thing if anyone can use their cookies.
If this is right, please suggest ways that a web developer can prevent this.

Sincerely

Cheeku

gi

On Fri, Aug 8, 2014 at 3:09 PM, Dilawar Singh <dilawar....@gmail.com> wrote:

email to wncc_iitb+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

 --
--
The website for the club is http://wncc-iitb.org/
To post to this group, send email to wncc...@googlegroups.com
---
You received this message because you are subscribed to the Google Groups
"Web and Coding Club IIT Bombay" group.
To unsubscribe from this group and stop receiving emails from it, send an

email to wncc_iitb+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
--
The website for the club is http://wncc-iitb.org/
To post to this group, send email to wncc...@googlegroups.com
---
You received this message because you are subscribed to the Google Groups "Web and Coding Club IIT Bombay" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wncc_iitb+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
--
The website for the club is http://wncc-iitb.org/
To post to this group, send email to wncc...@googlegroups.com
--- You received this message because you are subscribed to the Google Groups "Web and Coding Club IIT Bombay" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wncc_iitb+unsubscribe@googlegroups.com.

[Manish Goregaokar]

Or simply copy the link and run it. This kind of stuff is made possible due to a stupid action by facebook - any link you open in facebook runs through a facebook page which redirects you to the link. I think this is for Data Research purposes, but it can cause any script to gain temporary access to your credentials.

False. If there was a vulnerability here, you could make oodles of cash by reporting it. The referer does pose a privacy vulnerability, but not a security one.

The above paragraph was based on guesswork. If not that, can anyone suggest any other way that javascript can communicate to a tab/window other than it's own? Except using cookies. It's again a bad thing if anyone can use their cookies.

 

"Cookies" don't get shared to JS from another page unless they're set up in a certain way.

Couple of ways:

• The web page sends a POST request. Sure, AJAX doesn't work, but what's to prevent them from triggering a form submit in a same-domain iframe with a cross-domain ACTION attribute? Most sites use CSRF protection for this, usually a token passed with every request that makes changes on the server side that only the site will know about. (So spoofign a request is impossible from JS sicne you can't read the token off the page -- CORS FTW)
• The web page downloads a jar or exe that the user executes. Whoo.
• Clickjacking. The webpage asks the user to "find the blue square" or something. The square is actually a portion of  a cleverly masked FB "post" or "comment" (or whatever) button. This can sort of be stopped by disabling iframing of te page, but then again, there is something known as an iframe-buster-buster-buster-buster so I wouldn't rely on this. Plus FB allows iframes for legitimate embedding and from an iframe it's hard to tell if the embedding is "legitimate" or not (check that, impossible).

[Mayank Singhal]

> If not that, can anyone suggest any other way that javascript can communicate to a tab/window other than it's own?

If you want legitimate communication, Window.postMessage is the new way to do it.

> "Cookies" don't get shared to JS from another page unless they're set up in a certain way.

No there is no way to do cross domain cookie sharing. Period.

The best you can do is to share it across subdomains.

> The above paragraph was based on guesswork. If not that, can anyone suggest any other way that javascript can communicate to a tab/window other than it's own? Except using cookies. It's again a bad thing if anyone can use their cookies.

I am just making an educated guess here, but there is not going to be any direct communication going to happen if you copy-paste the link or click it. This is, as Manish and Dilawar said above, largely a phishing attack:

You see an enticing link, you open the page to find out more. Now, usually, the page will have one of two things:

• A notice saying that you cannot see the content unless you like their page (and probably approve a wide variety of other permissions, that they ask for)
• A button that says "Play the video" or "Expand the content" behind which there is a hidden facebook login button/link. When you click on the play button - you end up approving the page to get connected to you account.

I am pretty sure FB must be doing a good job checking referers for all the requests, but most sites don't and CSRF is an issue for them. Even decent sites like Twitter have had problems with this.

TL; DR: If something is too good to be true, go incognito (private mode in firefox?).

Mayank Singhal

--
--
The website for the club is http://wncc-iitb.org/
To post to this group, send email to wncc...@googlegroups.com
---
You received this message because you are subscribed to the Google Groups "Web and Coding Club IIT Bombay" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wncc_iitb+...@googlegroups.com.

[Manish Goregaokar]

> "Cookies" don't get shared to JS from another page unless they're set up in a certain way.

No there is no way to do cross domain cookie sharing. Period.

The best you can do is to share it across subdomains.

That's what I meant -- most sites like Wikipedia and Stack Exchange with centralized login use some tricks to get global login without requiring accounts on all sites.

 

TL; DR: If something is too good to be true, go incognito (private mode in firefox?).

This. This. Very much this.

-Manish

[Kumar Ayush]

For the record, I know a professor in CEBS who has blocked all scripts on his browser. He adds exceptions as and when he needs them.
While telling me about it, he went like, "Can you be sure what scripts are running in the background and what are they doing to your data?"

Sincerely

Cheeku

[Manish Goregaokar]

A surprisingly large amount of people use NoScript.

-Manish Goregaokar

[Pratyush Nalam]

He uses NoScript?

Pratyush Nalam
http://www.cse.iitb.ac.in/~pratnala

On Sat, Aug 9, 2014 at 4:10 PM, Kumar Ayush <cheeku...@gmail.com> wrote:

[Manu Raveendran]

Not sure if it's related, but I use this Chrome extension to help me block all the websites that track my usage and collect analytics data behind the scene. You can add exceptions as you go. (Because it sometimes blocks sites to use "login through Google" and "login through facebook" options.) It's been very useful for me because I care about my privacy a lot.

https://chrome.google.com/webstore/detail/disconnect/jeoacafpbcihiomhlakheieifhpjdfeo

https://disconnect.me/disconnect/help

On Sat, Aug 9, 2014 at 4:10 PM, Kumar Ayush <cheeku...@gmail.com> wrote:

[Manish Goregaokar]

You might be interested in Lightbeam as well, rather an eye opener. https://www.mozilla.org/en-US/lightbeam/

-Manish Goregaokar

[Mayank Singhal]

"Can you be sure what scripts are running in the background and what are they doing to your data?"

> what scripts are running in the background?

Unless the sandbox is broken, there is not a lot that these scripts can do, in foreground or in background.

> what are they doing to your data?

Assuming the worst case, everything they possibly can. Which is not going to change depending on whether scripts are enabled or not.

There is value in being vigilant, but there is a case of diminishing returns.

Mayank Singhal