Facebook officials acknowledged on Wednesday that the social network had been hit by a spam attack that posted graphic pornographic and violent images across user newsfeeds for 24 hours -- and that it was all caused by browser vulnerabilities.
Facebook said the attack is now under control, but that users brought in the malicious code. From InformationWeek:
Facebook didn't name the browser in question, but a user would still have to cut and paste script. But why? "Usually it is related to a giveaway, contest, or sweepstakes for some fantastic prize, and to qualify you need to paste this magic code into your browser," Chester Wisniewski, a senior security advisor at Sophos Canada, wrote on the Sophos Naked Security blog.
But, as InformationWeek points out, Facebook's security team is already supposed to have mechanisms in place to shut down malicious pages resulting from the self-XSS exploit. So what happened exactly? Facebook's spokesman said that Facebook's security team "drastically limited the damage" and is investigating who's responsible.
The truth is that Facebook is a security menace. With 750 million users, some are bound to be gullible, leave their accounts open at their computer or click on stupid links. Facebook has to be more vigilant with security or risk losing users.