If you're running NoScript
it prevents running JS directly from your URL bar to combat social engineering attempts to get users to unknowingly run something malicious, and will provide the following dialog message:
Otherwise, here is a screenshot from entering this in Safari:
In this example on Safari, I was initially on the www.apple.com page before I launched the JS in my URL bar - so you can see the Apple page in the background and the JS alert message appears to have come from www.apple.com. This would change depending on whatever page I was on when I launched the JS in the URL bar - additionally the JS could be modified to interact with or modify content on the current page. In other words, you could run JS that could completely modify the Apple page locally in your browser or interact with buttons or links. This is an important concept to understand and is a technique that is being used to do damage to Facebook accounts / profiles.
The "same origin policy"
is a security concept used in JS and other browser-side scripting languages that prevents scripts from one website from accessing methods/properties on another website. So when you visit your friend's blog, he is unable to have JS execute and automatically interact with your Facebook account. Instead he includes a link at the bottom of his blog to interact with facebook.com and pass a parameter to Facebook saying that you "like" his post (the "like" button
). For example,
There is an exception to the "same origin policy" in which you can execute script locally within your browser to interact with a page (shown above in the apple.com example). Developers and browser plugins (e.g., greasemonkey
) take advantage of this fact to alter various aspects about a webpage. Bad guys are also taking advantage of this fact, by social engineering users to copy/paste or type JS in their URL bar to perform unwanted actions. While logged into Facebook, the JS can automatically perform actions in your account such as, "liking" content or messaging your friends.
Facebook has cleaned up most of the offensive content from in the recent campaign. But doing some specific searches I was able to find some examples of this self-inflicted JS injection technique being used on Facebook.
The most common case, are Facebook groups that ask you to join and then enter in some JS into your URL bar. For example,
This JS loops through all of your Friends and suggests / invites them to the group. In other words, this JS performs a bulk invite of a group to all of your Friends. Simple, right?
Here is an example of a more complex and malicious JS I found on FB:
The strings in the JS are all hex encoded, below is the unescaped version:
This JS generates an Facebook invite message to your friends with the message containing an IFrame to: bit.ly/9CxGhY?82
Visiting this shortened link, shows that Bit.Ly is aware of the abuse and warning users from following:
The shortened link was to the now down site:
There are many examples of past abuse from various "facebook.joyent.us" sites, here
This technique is not a new technique - Zscaler has reported past abuse examples using this Self-Inflicted JS Injection method, for example:
Be careful of all actions you take while online, to include copying and pasting content into your URL bar.