Aug. 24, 2009

Posted by in Facebook | 4 comments

How to Write a Facebook Virus

  1. Find a cross-site scripting vulnerability in a widely used Facebook application.  At least three of the top 10 applications currently have one.
  2. Craft a short link that redirects to a specially infected XSS link.  You can use a clickjacking attack to help ensure that users who don’t have the application installed still get infected.
  3. Write JavaScript code for your XSS injection that harnesses a user’s session secret and uses it to make Facebook API requests.  More information about how this works is freely available online.
  4. You’ll probably want to include code that harvests profile information (such as date of birth, interests, and educational history) from infected users and their friends, since that simply requires an FQL query.  You could also download photos if you so desire.  In order to appear inconspicuous, use the same FQL queries that advertising networks use for targeting.
  5. If you want to include a few pop-ups or malicious redirects in your code as well, feel free.  If you can do it in JavaScript, you can do it here.
  6. Finish up your code with a few API requests that post a one-line story to a user’s wall or send notifications to their friends, since both of these are also generally possible with injected code.  Include your short link in these posts.  Finally, redirect the user to an innocent page so they don’t suspect anything.
  7. Note that after a little while, someone may catch on and patch the hole in the application you’re exploiting.  But since multiple applications typically have holes (see step 1), you can easily switch your code to a new one.  Since you’re using mainstream applications, they’re not likely to be banned as quickly as suspicious-looking rogue applications, so that should buy you some time.

Fully functional demonstration code available to security researchers and media outlets upon request.

Note that this is not simply a problem with Facebook applications.  This is a problem with the Facebook Platform.  These instructions will remain valid until Facebook takes action on publicly noted issues with their current setup.

  1. Busted Laptop says:

    Researching Facebook viruses on Google and come across this.

    Reason for research: My laptop has a deadly desease from some fuck on FB.

    You look to be very savvy in computer security and hacking.

    It’s a wonder that people put this out on the internet.

    A 6 month old Toshiba laptop running excellent with regular malware and virus scans, etc.

    The mother fucker locked up and shit the bed last night. Windows System32 IMPORTANT OS files corrupted, which means I cannot even deploy F8/F12 Repair/Restore…

    155 gigs of 250 used up of mainly my organized serious photography – OVER 5000 photos (backed up somewhere, but that’s NOT the point), 2000 songs, numbers, other photos I may not ever be able to get back, about 100 Favorites…

    I know thousands of people are on both ends of this everywhere, but


    Thanks for sharing this story of how to create a Facebook virus. I’m sure hundreds of losers are having fun fucking up hard work and treasured PERSONAL belongings.

    What has gone so devastatingly wrong with the modern-day homo sapien????

    … WTF!!!???

  2. Since the e-mail address for the above comment didn’t work, I’m pasting here the message I tried to send tonight.

    Dear “Busted Laptop”:

    I saw your comment on my blog and wanted to get in touch. I may not change your mind about my motivations or methods, but I did feel that you deserved an explanation as to why I put up that post about “how to write a Facebook virus.”

    But first, I also want to say that I truly am very sorry for the situation you’ve ended up in. I’ve been on the receiving end of viruses and data loss before, and while I certainly can’t know what your situation is like, I know such events can be extremely stressful and frustrating.

    When it comes to my post, I can assure you that neither I nor any other security researchers have seen any viruses in the wild which use the method of attack I described. Most of the current Facebook viruses I’m aware of, such as Koobface, have been spreading long before my post was written and use very different techniques. If someone actually wanted to write a malicious virus, they would have plenty of resources without ever checking my blog. I have been contacted a few times by people looking for help hacking various aspects of Facebook, but the only people I communicate with are ones I believe to be legitimate security researchers who are trying to help users, not harm them.

    So why publish a post about writing viruses? It’s been my experience watching and working with Facebook on a variety of issues over the last two years that the company will move quickly to protect its reputation – but only when users stand up and call for action. All of the techniques I described in my post had been previously published and demonstrated at various times, but had not been put together in one list before. Prior to that post, I had tried several times to bring people’s attention to the seriousness of such flaws in the Facebook Platform, but was often met with dismissals that the effects weren’t so serious. I finally wrote the post you saw to prove the point that these issues were worth taking seriously.

    Also, as I said, the techniques described deal with flaws in the Facebook Platform itself. What I outlined was not an unstoppable bag of tricks to exploit. I have reiterated on my blog several times that Facebook could take actions which would stop such exploits cold. The main reason I published that post was that users would see the gravity of the situation and call for Facebook to implement better protection for their users. I’ve discussed several times technical solutions that Facebook could issue for prevent the attacks I’ve described, but so far they’ve done little to nothing. I could have withheld the post and simply tried to convince Facebook myself, but I’ve never found that route very successful (and I do have a security contact at Facebook that I’ve been in touch with many times).

    Anyway, as I said, none of this may change your mind, and I don’t blame you for being upset. But I can assure you that if Facebook patches the vulnerabilities I described, no one will be more excited than me.


  3. SMartass, I haven’t been affected by this YET.
    Maybe write posts on how to remove this shit, instead? Would be WAY much more interesting and you’d get terribly many hits on your damn blog.

  4. Thank you for your post. It’s a really great way to learn about how these things operate, thereby helping me find potential vulnerabilities in my system. Thank you.


  1. Twitted by jjedMoriAnktah - [...] This post was Twitted by jjedMoriAnktah [...]
  2. Twitted by dalmaer - [...] This post was Twitted by dalmaer [...]
  3. Twitter Trackbacks for How to Write a Facebook Virus | Social Hacking [] on - [...] How to Write a Facebook Virus | Social Hacking – view page – cached #Social Hacking ...
  4. Fb Viral Share | - [...] Jacob Kirkegaard and Pierre Bastien Include Sharing With Friends FBML code | Facebook FBML HTML Code How to Write ...

Leave a Reply