Thursday, November 17, 2011

The Facebook spam attack

Just recently I stumbled upon my Facebook home page with malicious and sexually-explicit photos displayed in the News Feed. It was flooded with images of graphic sex and violence. Yes, Facebook was hacked again!

"Users were tricked into pasting and executing malicious JavaScript in their browser URL bar causing them to unknowingly share this offensive content," the social networking giant said.

However, Facebook said that it has already identified the culprit and the exploited vulnerability, but urges its users to stay vigilant, and rest assured that no data or accounts were compromised due to these attacks.

Facebook is a big system where application from external sources are integrated so you can use them through the social networking site. Through this, clicking links, buttons, or images may lead to various activities - you may either be redirected to a certain page or application, but the catch is, what is behind this action, is not known and exploited to the user. Many users are intimidated with what they see and just click random links and buttons, thus increase the chances of these kinds of spam attacks.

Facebook said the attack was a "self-XSS" exploitation, where users are often tricked by contest prizes, sweepstakes, giveaways, and in order to qualify for these, you need to paste a "magic code" into your browser.

Back in May, Facebook rolled out a self-XSS security feature to prevent users from participating with these kinds of attack. It was supposed to add another security level to confirm if the user is certain of the links he is about to click or the codes he is about to copy. In addition, Facebook was working with major web browser companies as an step up effort to protect users from malicious links, through deploying Websense feature which checks and classifies if a certain action is abusive and may harm the user.

The company said it has quarantined malicious accounts and pages, and offered simple tips to safeguard users from future attacks.

  • Never copy and paste unknown code into the address bar
  • Always use an up-to-date browser
  • Use the report links on Facebook to flag suspicious behaviour or content on friends' accounts

“Protecting the people who use Facebook from spam and malicious content is a top priority for us, and we are always working to improve our systems to isolate and remove material that violates our terms. Recently, we experienced a coordinated spam attack that exploited a browser vulnerability. Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible.

During this spam attack users were tricked into pasting and executing malicious javascript in their browser URL bar causing them to unknowingly share this offensive content. Our engineers have been working diligently on this self-XSS vulnerability in the browser. We’ve built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it. We have also been putting those affected through educational checkpoints so they know how to protect themselves. We’ve put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people.”

Facebook Comments

blog comments powered by Disqus