Home > Facebook Blames Porn Attack On Browser Bugs

Bookmark and Share

Facebook Blames Porn Attack On Browser Bugs

Attack spread a massive quantity of hardcore pornography and violence images via a cross-site scripting flaw.

 

 

Facebook officials on Wednesday acknowledged that the site had been hit by a spam attack that unleashed massive quantities of violent and pornographic images across users' newsfeeds for more than 24 hours. Facebook blamed the attack's success on a browser vulnerability, but said it had largely brought the attack under control.

"During this spam attack users were tricked into pasting and executing malicious JavaScript in their browser URL bar causing them to unknowingly share this offensive content. No user data or accounts were compromised during this attack," said a Facebook spokesman via email. "Our engineers have been working diligently on this self-XSS vulnerability in the browser."


Facebook declined to name which browser had the vulnerability, but "self-XSS" refers to a cross-site scripting (XSS) exploit that's launched by a user. These attacks rely on social engineering to trick users into cutting and pasting a line of code into their browser. "What would compel someone to copy and paste malicious JavaScript into their browser? Usually it is related to a giveaway, contest, or sweepstakes for some fantastic prize, and to qualify you need to paste this magic code into your browser," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

But according to Facebook's security team, the social network has now created "enforcement mechanisms" that automatically shut down malicious pages that result from the self-XSS exploit, as well as accounts that appear to have been created simply to launch these types of attacks. "Protecting the people who use Facebook from spam and malicious content is a top priority for us, and we are always working to improve our systems to isolate and remove material that violates our terms," said the Facebook spokesman. "Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible."

The images spread via the attack included images of celebrity Justin Bieber, who'd been "Photoshopped" into a sexual situation, as well as pictures of a dead dog. The explicit images hit many Facebook users' newsfeeds beginning Monday and continued for at least 24 hours before Facebook brought it under control. "Considering that the flaw is not within Facebook's website it appears to have been rather difficult for them to respond to this threat," said Wisniewski at Sophos.

Why attack Facebook? "Social networks are a gold mine for attackers," said Mike Geide, senior security researcher at Zscaler ThreatLabZ, via email. "With such a large volume of users, spam and malicious content can spread very rapidly."

Most of these attacks--whatever their imagery--have a single overriding purpose: to make money for attackers, typically via pharmaceutical sales, by stealing people's personal financial information, or via clickjacking or likejacking campaigns, which redirect people to websites and generate referral income for attackers.

What's unusual about this Facebook attack, however, is that it doesn't appear to be designed to make money. "We investigate lots of Facebook scams ... and I would guess that nearly 100% of them lead to some financial payout for the scammer," said Wisniewski at Sophos. But this attack, unusually, appears to have been designed solely to attack Facebook's "reputation for maintaining a reasonably family-friendly environment," he said.

 

Source: Infoweek

Other PUM Stories
NEWS
Growing Number of High-Skilled Immigrants Favor Pittsburgh and Other Emerging Rust Belt Cities Over Silicon Valley, Brookings Study Reports
Growing Number of High-Skilled Immigrants Favor Pittsburgh and...

Read More »

COMMUNITY
Aspinwall
  Aspinwall is a borough on the Allegheny River in...

Read More »

HOT TOPICS
Radio Inc. Goes One on One with Bev Smith About Her Show Going Off the Air Sooner Than Expected
Radio Inc. Goes One on One with Bev Smith About Her Show Going Off the Air...

Read More »


SPORTS
Turnovers kill bid for 7th title -PACKERS 31, STEELERS 25
  Turnovers kill bid for 7th title - PACKERS 31, STEELERS 25...

Read More »


Calendar

National Issues

Source: Joan Rivers had surprise throat biopsy that led to her death More...

Source says Rice video was sent to NFL More...

Texas executes man who killed ex-wife, her brother More...

Gentleman Jim Clyburn Congressman James Clyburn The “Blessed Experiences”... More...

Neither Captain Johnsons nor Chiefs of Diversity Can Substitute for the... More...

Volunteer Opportunities

Hurricane Sandy Volunteer Opportunities More...