The wash of porn and violent images flooding Facebook over the last 48 hours was due to an XSS exploit in an unnamed browser, Facebook claims.
Wednesday Facebook said that it has finally stopped most of the spam that flooded news feeds and inboxes over the last 48 hours with images of graphic violence, porn and animal abuse. Facebook officials are blaming the attack’s success on a cross-site scripting (XSS) exploit in a particular unnamed web browser, and even admits that they know who attacked the social website... and it wasn't Anonymous.
"We’ve built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it," Facebook continues. "We have also been putting those affected through educational checkpoints so they know how to protect themselves. We’ve put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people."
"The bigger question is what motivated the attackers to use this flaw in such a strange way?" writes Chester Wisniewski of Sophos. "We investigate lots of Facebook scams here at Naked Security, and I would guess that nearly 100-percent of them lead to some financial payout for the scammer. This seems to be a purely malicious act."
By pasting the "magic code" into the browser’s address bar, Facebook users were unknowingly sharing graphic content with their Facebook friends. The offensive content spread like wildfire because friends clicked on the links thinking they were shared on purpose. Sophos suggests that Facebook users keep informed about the latest scams spreading fast across Facebook and other internet attacks.
On Wednesday Facebook said that it's currently working with its legal team to take appropriate actions against the unnamed hacker responsible for the attack. In the meantime, users are encouraged to run a virus or malware scan on their system, remove any unwanted or suspicious Facebook apps, change their password, make sure the browser is up to date, and report anything unusual. Finally, don't copy and paste code into the address bar unless the source is confirmed to be legit.