Facebook Speaks Up On Recent Porn Flood

Wednesday Facebook said that it has finally stopped most of the spam that flooded news feeds and inboxes over the last 48 hours with images of graphic violence, porn and animal abuse. Facebook officials are blaming the attack’s success on a cross-site scripting (XSS) exploit in a particular unnamed web browser, and even admits that they know who attacked the social website... and it wasn't Anonymous.

"During this spam attack, users were tricked into pasting and executing malicious JavaScript in their browser URL bar causing them to unknowingly share this offensive content," officials said in a statement to Mashable. "No user data or accounts were compromised during this attack. Our engineers have been working diligently on this self-XSS vulnerability in the browser."

"We’ve built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it," Facebook continues. "We have also been putting those affected through educational checkpoints so they know how to protect themselves. We’ve put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people."

Sophos claims that it was difficult for Facebook to address the issue because the problem didn't reside on the website itself, but within the unnamed browser instead. The security firm also stressed that Facebook users were likely enticed to throw malicious JavaScript into their browser because of some kind of contest, giveaway or sweepstakes that required contestants to copy and paste a "magic code" to win a "fantastic" prize.

"The bigger question is what motivated the attackers to use this flaw in such a strange way?" writes Chester Wisniewski of Sophos. "We investigate lots of Facebook scams here at Naked Security, and I would guess that nearly 100-percent of them lead to some financial payout for the scammer. This seems to be a purely malicious act."

By pasting the "magic code" into the browser’s address bar, Facebook users were unknowingly sharing graphic content with their Facebook friends. The offensive content spread like wildfire because friends clicked on the links thinking they were shared on purpose. Sophos suggests that Facebook users keep informed about the latest scams spreading fast across Facebook and other internet attacks.

On Wednesday Facebook said that it's currently working with its legal team to take appropriate actions against the unnamed hacker responsible for the attack. In the meantime, users are encouraged to run a virus or malware scan on their system, remove any unwanted or suspicious Facebook apps, change their password, make sure the browser is up to date, and report anything unusual. Finally, don't copy and paste code into the address bar unless the source is confirmed to be legit.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
39 comments
    Your comment
    Top Comments
  • mortonww
    Yikes, so people actually had to copy and paste lines into their browser's address bar to claim a fantastic prize in order for this exploit to work? The only shame here is that it wasn't coded to cancel their ISP subscription.
    32
  • LuckyDucky7
    So... which browser was it? Which browser least protects gullible Facebook users from themselves?
    18
  • xyster
    Copy and paste the following text into your Internet Explorer 7 Browser to win a COOKIE!!!

    javascript:alert(document.cookie);
    17
  • Other Comments
  • rohitbaran
    Considering that the browser is unnamed, my guess is it should be one of the proprietary ones.
    8
  • mortonww
    Yikes, so people actually had to copy and paste lines into their browser's address bar to claim a fantastic prize in order for this exploit to work? The only shame here is that it wasn't coded to cancel their ISP subscription.
    32
  • LuckyDucky7
    So... which browser was it? Which browser least protects gullible Facebook users from themselves?
    18