Facebook Blames Porn Attack on “Browser Vulnerability”

Facebook has blamed a browser vulnerability and naive user behaviour for the explicit spam campaign that hit the service earlier this week.

At the weekend it emerged that tens of thousands of Facebook users had been confronted in their news feeds with a fake pornographic image of singer Justin Bieber, and another of a dead dog.

Who was behind the attack and what motivation remained unclear, but the biggest question was how the spam was spreading.

The company said it had now tracked down the root cause as being a “self-XSS” flaw in which users were socially engineered into cutting and pasting malicious Javascript into the URL bar, executing the attack.

Facebook hasn’t mentioned which browsers it thinks are vulnerable – it could in theory be any running Java – nor why user behaviour would constitute a browser flaw in the first place. Adding the moniker “self” to XSS (cross-site scripting) hints that the company sees the issue as being to some extent self-inflicted by unwary users.

“We’ve built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it,” Facebook said.

The company was also “putting those affected through educational checkpoints so they know how to protect themselves,” it said without explaining what defensive measures it would recommend to users currently unaffected by the issue.

“We’ve put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people.”

Security commentators now see the motivation the for the attack as being designed to disrupt the service rather than, as is usually the case, derive profit.

“This seems to be a purely malicious act,” said Chester Wisniewski of security company Sophos. “The flaw being exploited could likely be used against other sites as well if users can be tricked into pasting malicious JavaScript into the browser.”