Facebook flooded with porn spam

 

Facebook is working on its security after a pornographic spam attack that apparently exploited a browser vulnerability.

The attack, which seems to have begun towards the end of last week, saw the timelines of many Facebook users inundated with graphic images of pornography and violence. While this happens from time to time as users fall prey to clickjacking scams, for example, the scale of the recent attack has led Facebook to re-evaluate the safeguards it has in place.

"Recently, we experienced a spam attack that exploited a browser vulnerability," the company said in a statement on Tuesday. "Our team responded quickly and we have eliminated most of the spam caused by this attack. We are now working to improve our systems to better defend against similar attacks in the future. "
The social-networking company added that "protecting the people who use Facebook from spam and malicious content is a top priority for us".
According to Graham Cluley of security firm Sophos, the images shown to unsuspecting Facebook users included "explicit hardcore porn images, photoshopped photos of celebrities such as Justin Bieber in sexual situations, pictures of extreme violence and even a photograph of an abused dog".

Cross-site scripting vulnerability

A statement given by Facebook to ZDNet UK sister site ZDNet.com on Monday suggested the attacks were due to a "self-XSS [cross-site scripting] vulnerability in the browser".

Protecting the people who use Facebook from spam and malicious content is a top priority for us.

– Facebook

Cross-site scripting vulnerabilities are generally found in web applications, and are executed within the browser. These flaws allow criminals to inject malicious code into the actions carried out by the browser. This lets the criminal bypass the browser's security mechanisms and access sensitive data associated with the page.
Self-XSS is a variation on the theme, where spammers trick victims into copying and pasting malicious code into their own browser address bars. Doing so lets the spammer manipulate the browser into posting status updates with malicious links, for example, and generally propagating spam.
According to Sophos, self-XSS attacks often arise from common Facebook spam messages such as "Why are you tagged in this video?".
Facebook said in May it was working hard to improve its systems for detecting and blocking these types of attacks, "as well as to educate people on what is causing their accounts to send spam".
At the time, Facebook said every time its systems noted malicious code had been pasted into the address bar, it would challenge the user to confirm that he or she really meant to do so. It also said it would liaise with browser companies to fix the underlying flaws.

---