Facebook Blames Porn Attack on Browsers

Facebook officials acknowledged on Wednesday that the social network had been hit by a spam attack that posted graphic pornographic and violent images across user newsfeeds for 24 hours -- and that it was all caused by browser vulnerabilities.

Facebook said the attack is now under control, but that users brought in the malicious code. From InformationWeek:

"During this spam attack users were tricked into pasting and executing malicious JavaScript in their browser URL bar causing them to unknowingly share this offensive content. No user data or accounts were compromised during this attack," said a Facebook spokesman via email. "Our engineers have been working diligently on this self-XSS vulnerability in the browser." 

Facebook didn't name the browser in question, but a user would still have to cut and paste script. But why? "Usually it is related to a giveaway, contest, or sweepstakes for some fantastic prize, and to qualify you need to paste this magic code into your browser," Chester Wisniewski, a senior security advisor at Sophos Canada, wrote on the Sophos Naked Security blog.

But, as InformationWeek points out, Facebook's security team is already supposed to have mechanisms in place to shut down malicious pages resulting from the self-XSS exploit. So what happened exactly? Facebook's spokesman said that Facebook's security team "drastically limited the damage" and is investigating who's responsible.

The truth is that Facebook is a security menace. With 750 million users, some are bound to be gullible, leave their accounts open at their computer or click on stupid links. Facebook has to be more vigilant with security or risk losing users.

Contact Us