Skip to content

Why cnn.com tried to download xd_proxy[1].css ?

2011/02/02

Today, when I opened cnn.com, there is a prompt in the Information Bar asking me to download a file or not.  At first, I thought it was just a pop-up blocker.  Later, when I got complaint from users about other sites (like www.nationalpost.com), I started thinking this might be some kind of SQL-injection again.

image

For the research purpose, I clicked “Download File…”.  The Notepad was opened with the file name xd_proxy[1].css; the content is like this:

.app_content_51546247891 a.uiLinkSubtle { display: none; }
.app_content_51546247891 a.UIImageBlock_ICON_Image { display: none; }
#bootloader_Zvucx { height: 42px; }

The file was also saved in the browser cache folder.  I am not sure if those site are all contaminated.  It seems the code are all from the same source.  Hopefully css file is not that executable outside of the browser.

People are talking about this on the Microsoft online society and other forums.  Thanks to some smart minds, the source is found.  Guess what?  It is from the Facebook.

Here is sample code on chess.com:

<divid="fb-root"></div>
<scriptsrc="http://connect.facebook.net/en_US/all.js"></script>
<script>
FB.init({appId: '2427617054', status: true, cookie: true, xfbml: true});
if ( ! window.ChesscomFB ) var ChesscomFB = {};
ChesscomFB.share = function (url) {
var params = { method:'stream.share' };
if (url) {
if (url.indexOf('/') === 0) url = 'http://www.chess.com'+ url;
} else {url = location.href;}
if (url.indexOf('utm_source') === -1) url = url.replace(/\?|$/, '?utm_source=facebook&utm_medium=sharelink&').replace(/&$/,'');
params['u'] = url;FB.ui(params);}
</script>

All sites that have this version of Facebook embedded code would have the same problem.

Here are some discussions on Facebook developers society:

http://forum.developers.facebook.net/viewtopic.php?id=88682

http://forum.developers.facebook.net/viewtopic.php?pid=312662

and here is the root cause and Facebook bug report:

http://bugs.developers.facebook.net/show_bug.cgi?id=14971

This one is more specific:

http://bugs.developers.facebook.net/show_bug.cgi?id=14978

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: