My last writing described in detail the hacking scenario used by hackers. However you maybe wonder that how hackers can change user’s password when they do not know the old one. Is this a new vulnerability of Facebook? 

In the past, Facebook once urgently patched a critical vulnerability which allowed hackers to change the user’s password without current one. This made me think of a similar hole when beginning to analyze Facesy. However, after analyzing carefully, it turned out that Facesy used an interesting method, it’s add-on not a vulnerability.

W32.Facesy.Trojan, a virus which uses Add-on of Chrome, has the ability of taking control and stealing Facebook account.

The focal point of its method lies in cheating users to install Add-on for Chrome browser (the script was described in the last writing). This Add-on will inject code into Facebook login page. This code has function of taking value of password box, then request Facebook server to change the password.

Consequently, when users login Facebook by Chrome, and view the source code of the web (using F12), it’s possible to recognize the difference in the red crossed. That’s html code which was injected by the virus. About the interface, it is still the interface as usually, however the source code was changed with the aim to steal the account.


To take the user’s password, W32.Facesy.Trojan have to wait until users enter password in the website injected the code (as above), then it uses JavaScript command to take the value of account and password in the login page. It’s possible for users to login successfully take access token with necessary parameters. It uses the parameter and send AJAX message to Facebook’s server to change the password.




It noted that the login request and password changing  used HTTPS protocol, so Add-on is the best choice for stealing and sending request.

If you are a victim, you should quickly use the feature of password reset though Facebook email to get your controlling right back. At the same time, you should remove Add-on with the name Google Chrome Guncelle before malicious links full in your Wall.

If you cannot access the feature of Chrome extension (Option à Tool à Extension), you should set up the feature of showing hidden files and delete suspected <Extension ID> folders according to links as the following:

On Win 7:“C:\Users\<Current user>\AppData\Local\Google\Chrome\UserData\ Default\Extensions\<Extension ID>\”, delete folders <Extension ID>\”

On WinXP: C:\Documents and Settings\<Current user>\\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\<Extension ID>\

For safety, users should not click on the poisonous links, untrusted articles with impressive content. Now, W32.Facesy.Trojan has injected in Chrome, however it can spread in any browsers.

Pham Minh Dat

Malware researcher

Leave a Reply

Name (required)
Mail (hidden) (required)
Text to Identify

Popup Date Time Portlet

Blogs Aggregator

Blog Category Portlet


Store Portlet


Vote Baby Portlet