Browser Vulnerability, Tricked Users May Explain Disturbing Facebook Spam
Facebook claims to have found an explanation of the current wave of spam attacks, including explicit hardcore porn images, videos, photo shop created photos of celebrities like Justin Bieber in sexual situations, pictures of extreme violence and even photographs of animal cruelty. These are among many gross pictures being propagated.
Users tend to see the images posted on a friend’s account, visible to everyone but the friend in question. Facebook’s latest statement says the root of the attack is a malicious JavaScript that some users were tricked into copy and then paste to their browser URL address bar. “We have recently experienced an increase in reports and we are investigating and addressing the issue,” Facebook representative Andrew Noyes told Mashable. Later in the day, Facebook released the following statement:
“Protecting the people who use Facebook from spam and malicious content is a top priority for us, and we are always working to improve our systems to isolate and remove material that violates our terms. Recently, we experienced a coordinated spam attack that exploited browser vulnerability. Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible.During this spam attack users were tricked into pasting and executing malicious java script in their browser URL bar causing them to unknowingly share this offensive content. Our engineers have been working diligently on this self-XSS vulnerability in the browser. We’ve built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it. We have also been putting those affected through educational checkpoints so they know how to protect themselves. We’ve put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people.”
Hackers are tricking users to manually do a copy-paste. This cross-site scripting mainly allows an attacker to execute JavaScript code in your browser that can access and control the website you are interacting with. Facebook says that users were being tricked to copy and paste the offending JavaScript into their address location bar in the affected web browser, but does not identify the specific browser. Continued on the next page
Follow Technorati