Yes, exactly JavaScript. I just met such a worm and tried to decode it.
What the actual problem is:
The recent Facebook worm works by getting users to visit a page, which makes them insert a JavaScript string into their address bar and therefore executing it.
So, DON'T EVER copy some JavaScript code into your address bar. That's the main problem. And don't click any links you don't trust. Or at least open those links in a new window using the Privacy Mode (Firefox) or Incognito mode (Chrome) so that it won't be able to access your Facebook session.
What did our hackers do to make people not realize what they're doing?
Escaping the script
The string you copy into the URL bar mostly links to another JavaScript which is executed. This script is actually decoded into entities. So instead of using string characters, the whole script was put into a string and escaped so that no human could read it in the first place.
For example, if I had a very malicious function I'd escape it and the user would only see:
function%20test%28%29%20%7B%20alert%20%28%22LOL%22%29%3B%20%7D
and unescaped it would be
function test() { alert("LOL"); }
The script therefore unescapes "itself" before it is executed.
Obfuscating it
Now it's getting ugly: Before escaping it, the evil JavaScript code is obfuscated, with function names like _____x
and variables like aLDIWEJ
. This makes still sense for JavaScript, but it is entirely unreadable to humans. This is done, again, to mask the intentions of our Facebook hackers.
At this point, the code could have looked something like this:
![enter image description here](https://i.stack.imgur.com/LcSPP.png)
What the script does
Well, what this script does is take your current Facebook session. Because you are logged into the site, it can do anything in your name. For example, things it can do through Facebook's API is:
- creating an event like "OMG I can see who stalked me!"
- chatting with people
- posting status updates
- etc.
This all happens by calling some of Facebooks API pages (some PHP pages, I forgot which).
Best Answer
There are many parameters which a server can use to identify a visitor. IP address is the first, cookies is another possibility, but the browser itself provides a "signature" including its full version, the name and version of the OS, the languages and encoding it supports... Also, it is easy to use JavaScript or Flash to identify plugins, screen resolution and other aspects of your machine configuration.
If you use all of it, it is too discriminant and the simplest browser upgrade will have you identified as "a new location". But choosing wisely an appropriate subset can give websites a good idea about whether you are using the same platform as before.
On Panopticlick, a web demonstrator of the Electronic Frontier Foundation, you can get an overview of all the information your browser is leaking, and to which extent it can be used to identify you.