Saturday, January 30, 2010

iPads for Obama!

It's the latest trend in the world of online scammers. Someone makes a group on Facebook promising free merchandise/hidden Facebook features/true love if you join and invite all your friends. Of course, these pages restrict viewing of their Walls, so people must join before they find out that it's fake.

The second step is to connect some external website to the Facebook group, which you must visit after you join and invite everyone you know to the group. This web page is where the group creators may collect usernames/passwords with a fake Facebook authentication page, or collect names and addresses, or even credit card info. Whatever their motives, the group spreads too fast for the original adopters to warn those they've already invited about the site. And so, like a virus, the group grows and spreads.

Earlier today, I saw on my Facebook wall that someone I vaguely knew had joined a group entitled "Get a FREE Apple iPad Test Unit!" The group followed the usual procedure of adding all your friends and clicking a link. This time, however, I was curious. Without joining or spamming my friends, I clicked the link. I was greeted with this friendly page:

As a rule, any site douche-y enough to restrict access based on an add-on doesn't really deserve your attention anyway. Still I pressed on. I discovered that (which is completely blocked by the EasyListUSA subscription list in Adblock Plus) was noticing that I was restricting the execution of its stuff and therefore redirected me from the original page to let me know that I was a bad person.

After fishing around for a few minutes, I discovered what .js file on was causing the matter and exempted it from screening. The site then loaded, Adblock Plus filter ignored.

That filter, for those of you who may encounter this in the future, is:
@@|** UPDATE: This code wasn't covering all cases, so I had to tweak it. Use the current version.


After finally accessing the web page, I was greeting with a page-covering DIV and a notice which said that I had to fill out a survey before I could enter my info, "to verify that I'm not a bot". Back on the Facebook group page, they did apologize for the system, but all I can think is, why not be like EVERY OTHER website and use, oh, I don't know, a CAPTCHA? I looked int he lower-left corner of the giveaway page, where a "HACKER-PROOF" logo made the non-https site look very secure. HACKER-PROOF? We'll see about that.

At first, I tried removing the div and just accessing the form directly. That triggered some hidden JS file and promptly warned that I had been "reported" for trying to "hack" the site. Excuse me, but editing local HTML source code for a loaded web page is NOT hacking. I could go on my YouTube channel page and locally edit the HTML to make it look like I have 9001 subscribers. That's still not hacking, because if I refresh, my hard work is gone. Still, at this point I didn't feel like bothering with the annoying .js file, so I decided to do as I was told.

I BS'd my way through one of their dumb surveys (which then started spamming me with product requests, so I'm glad I did not put a real email address. Unless "" is a real address, in which case, please forgive me.) Thankfully, the giveaway page at this point removed the blocking DIV, allowing me to submit my details in order to (potentially) receive a FREE iPad!

But then I noticed something. The form was in a frame. And I could load the frame in my browser independantly of the main giveaway page. And the frame was just the relevant form field which submitted my info, nothing more, especially no hidden JS files.

So wait a minute. I have to "disable" Adblock, not tamper with the HTML source code, and take a spam survey designed to steal my details, but you don't even bother to put security on the actual FORM?

For those of you not familiar with how these kinds of security measures interact, it's kinda like this:

So now I have unrestricted access to the form. The thing is totally unsecured. Hell, I could probably just re-send this form over and over--

It doesn't take long for me to complete a simple form submission page which uses GET variables from the URL to choose the name, address, and email you'd like to submit, and automatically on page load submits the form for you. Embed the form page half a dozen times on another page, set an auto-refresh system up on the meta-form page, and you've got a submission system.

Now all you need is a name, an address, and an email.

At this point, I think back to the State of the Union on Wednesday. Obama had said that "our economic growth increasingly depends on our ability to sell American goods and crops and services all over the world." Perhaps, then, Obama would know of some good places to put to use a few hundred iPads?

Name: Barack Obama
Address: 1600 Pennsylvania Avenue
Email: (I doubt this is a real email address, but it sounded cool.)

I let the program run for around fifteen minutes, watching the giveaway's "Thank you!" page for successful submissions appear briefly before each refresh. So much for "hacker-proof".


I come back after a little while and notice that something had changed on my little form submitter: the "Thank you!" pages now read "403 Forbidden".

I had submitted at most 300 forms in that time-span. Surely that wasn't enough to take down the website in that time.

I did a little checking and discovered that the website was still online, but the owners had clumsily restricted the main directory, completely destroying the website's layout.

So what have I done? I've broken a scammer website, and I've requested 300 iPads for the President of the United States. That's a good day in my book.


UPDATE (2/21/10):
Their site's up and seems to have been back up for a while now. However, they have yet to fix the frame issue. Go figure. Also, as you'll note above, I fixed an issue in the ABP code to work around the ABP-blocker.