Sign in with
Sign up | Sign in

Facebook Speaks Up On Recent Porn Flood

By - Source: Sophos | B 39 comments

The wash of porn and violent images flooding Facebook over the last 48 hours was due to an XSS exploit in an unnamed browser, Facebook claims.

Wednesday Facebook said that it has finally stopped most of the spam that flooded news feeds and inboxes over the last 48 hours with images of graphic violence, porn and animal abuse. Facebook officials are blaming the attack’s success on a cross-site scripting (XSS) exploit in a particular unnamed web browser, and even admits that they know who attacked the social website... and it wasn't Anonymous.

"During this spam attack, users were tricked into pasting and executing malicious JavaScript in their browser URL bar causing them to unknowingly share this offensive content," officials said in a statement to Mashable. "No user data or accounts were compromised during this attack. Our engineers have been working diligently on this self-XSS vulnerability in the browser."

"We’ve built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it," Facebook continues. "We have also been putting those affected through educational checkpoints so they know how to protect themselves. We’ve put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people."

Sophos claims that it was difficult for Facebook to address the issue because the problem didn't reside on the website itself, but within the unnamed browser instead. The security firm also stressed that Facebook users were likely enticed to throw malicious JavaScript into their browser because of some kind of contest, giveaway or sweepstakes that required contestants to copy and paste a "magic code" to win a "fantastic" prize.

"The bigger question is what motivated the attackers to use this flaw in such a strange way?" writes Chester Wisniewski of Sophos. "We investigate lots of Facebook scams here at Naked Security, and I would guess that nearly 100-percent of them lead to some financial payout for the scammer. This seems to be a purely malicious act."

By pasting the "magic code" into the browser’s address bar, Facebook users were unknowingly sharing graphic content with their Facebook friends. The offensive content spread like wildfire because friends clicked on the links thinking they were shared on purpose. Sophos suggests that Facebook users keep informed about the latest scams spreading fast across Facebook and other internet attacks.

On Wednesday Facebook said that it's currently working with its legal team to take appropriate actions against the unnamed hacker responsible for the attack. In the meantime, users are encouraged to run a virus or malware scan on their system, remove any unwanted or suspicious Facebook apps, change their password, make sure the browser is up to date, and report anything unusual. Finally, don't copy and paste code into the address bar unless the source is confirmed to be legit.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Top Comments
  • 32 Hide
    mortonww , November 17, 2011 2:10 AM
    Yikes, so people actually had to copy and paste lines into their browser's address bar to claim a fantastic prize in order for this exploit to work? The only shame here is that it wasn't coded to cancel their ISP subscription.
  • 18 Hide
    LuckyDucky7 , November 17, 2011 2:10 AM
    So... which browser was it? Which browser least protects gullible Facebook users from themselves?
  • 17 Hide
    xyster , November 17, 2011 3:16 AM
    Copy and paste the following text into your Internet Explorer 7 Browser to win a COOKIE!!!

    javascript:alert(document.cookie);
Other Comments
    Display all 39 comments.
  • 8 Hide
    rohitbaran , November 17, 2011 2:08 AM
    Considering that the browser is unnamed, my guess is it should be one of the proprietary ones.
  • 32 Hide
    mortonww , November 17, 2011 2:10 AM
    Yikes, so people actually had to copy and paste lines into their browser's address bar to claim a fantastic prize in order for this exploit to work? The only shame here is that it wasn't coded to cancel their ISP subscription.
  • 18 Hide
    LuckyDucky7 , November 17, 2011 2:10 AM
    So... which browser was it? Which browser least protects gullible Facebook users from themselves?
  • 4 Hide
    alhanelem , November 17, 2011 2:19 AM
    might have been the only interesting thing that has happened on facebook since.. forever
  • 3 Hide
    zoemayne , November 17, 2011 2:23 AM
    likely internet explorer but its not MS's fault. I havent gotten any span via firefox or chrome.
  • 9 Hide
    oxxfatelostxxo , November 17, 2011 2:24 AM
    most likey IE, as that is the most common default, and less tech savy people dont usually change to anything else. Not that IE is bad or anything.. well atleast the newest version.

  • -8 Hide
    Anonymous , November 17, 2011 2:25 AM
    Not chrome. I haven't noticed anything.
  • 9 Hide
    AbdullahG , November 17, 2011 2:32 AM
    ...

    And I thought it was some sort of ingenious way to access a mass of profiles and upload those photos...

    No it was not. It was just a bunch gullible fools who thought they could win a "magical" prize by copying and pasting a suspicious link...

    What has the world come to...
  • 10 Hide
    otacon72 , November 17, 2011 2:42 AM
    Any numbnut pasting something into their browser deserves everything they get. Reminds of the moron who dialed 911 not once but several times because his iPhone was broken. Kind of says it all about people who use Apple products.
  • -4 Hide
    frish , November 17, 2011 2:58 AM
    otacon72Any numbnut pasting something into their browser deserves everything they get. Reminds of the moron who dialed 911 not once but several times because his iPhone was broken. Kind of says it all about people who use Apple products.

    Any excuse to slag off apple huh?

    Also I hate when people say that people who don't know better deserve anything they get.
  • 9 Hide
    dalauder , November 17, 2011 3:04 AM
    frishAny excuse to slag off apple huh?Also I hate when people say that people who don't know better deserve anything they get.
    C'mon--people didn't know better than to paste a link and win a free prize? No...they knew there's always a catch and NEVER a free prize. They were stupid and deserve what they got.

    However, the people who received offensive images from these idiots did not deserve it.

    My guess is it was people still using IE6 that did most of the damage.
  • -3 Hide
    sundragon , November 17, 2011 3:14 AM
    otacon72Any numbnut pasting something into their browser deserves everything they get. Reminds of the moron who dialed 911 not once but several times because his iPhone was broken. Kind of says it all about people who use Apple products.


    troll
  • 17 Hide
    xyster , November 17, 2011 3:16 AM
    Copy and paste the following text into your Internet Explorer 7 Browser to win a COOKIE!!!

    javascript:alert(document.cookie);
  • -5 Hide
    daaajm , November 17, 2011 4:16 AM
    Here Is one of the pictures found on Facebook..

    image link
  • -2 Hide
    Anonymous , November 17, 2011 4:31 AM
    currently browsers that are affected are IE, Opera and Safari, Chrome is immune due to prevention of Javascript executing off the address bar firefox is also safe if you have noscript or disable the java console
  • -2 Hide
    Anonymous , November 17, 2011 4:31 AM
    uhm... IE is not the best in terms of functionality, but it is the most secure, since it doesnt have many places to exploit.

    get your facts straight, more functionality usualy means less secure.
  • -2 Hide
    cookoy , November 17, 2011 5:21 AM
    i got one without doing any copy and paste thing, just clicking on a link send by a friend. Already using FF 8.0. And i was already forewarned with another message posted by another friend. This time curiosity gets the better of me. People who say we should have known better are just the know-it-all type full of vanity.
  • 4 Hide
    neiroatopelcc , November 17, 2011 5:51 AM
    mortonwwYikes, so people actually had to copy and paste lines into their browser's address bar to claim a fantastic prize in order for this exploit to work? The only shame here is that it wasn't coded to cancel their ISP subscription.

    The majority of people on the net aren't as well informed when it comes to IT as we are. Do remember that.
    My gradma wouldn't understand english, but if the scam was in danish she'd possibly be one of those doing such nonsense. That doesn't mean she isn't entitled to play bingo or chat with her daughters online though.
  • -9 Hide
    Anonymous , November 17, 2011 6:26 AM
    Geez. Facebook is too old. Only old people and people with no life use facebook and they deserve it.
  • 3 Hide
    alidan , November 17, 2011 6:30 AM
    frishAny excuse to slag off apple huh?Also I hate when people say that people who don't know better deserve anything they get.


    if you spend more than 1 hour a day on the internet, you should know something about what you are useing.

    we know how to change oil in our cars, and pump gas even if its something you do once a week/ twice a year.

    you telling me that people should stay stupid?
Display more comments
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter