Sophos Cloud Optix
Facebook have acknowledged the spam attack that began slightly more than a day ago explaining what was causing users to see pornographic and other disturbing photos on their friends walls.
According to Facebook’s statement the people behind the attack are exploiting a browser vulnerability that allows “self-XSS”. XSS is shorthand in security circles for cross-site scripting.
What does this mean? Cross-site scripting essentially allows an attacker to execute JavaScript code in your browser that can access and control the website you are interacting with.
Facebook says that users were being enticed to copy and paste the offending JavaScript into their address/location bar in the affected web browser. We do not know which browser is vulnerable at this time.
What would compel someone to copy and paste malicious JavaScript into their browser? Usually it is related to a giveaway, contest or sweepstakes for some fantastic prize, and to qualify you need to paste this magic code into your browser.
Considering that the flaw is not within Facebook’s website it appears to have been rather difficult for them to respond to this threat.
They state that they are working diligently to determine the behavior on peoples accounts when they fall victim and to roll back and delete any malicious changes.
The bigger question is what motivated the attackers to use this flaw in such a strange way? We investigate lots of Facebook scams here at Naked Security, and I would guess that nearly 100% of them lead to some financial payout for the scammer.
This seems to be a purely malicious act. Facebook has a reputation for maintaining a reasonably family friendly environment and most Facebook users don’t expect dead dogs and penises showing up on their wall.
Hopefully whichever browser it is that has the flaw will provide a fix ASAP, but as we know most people are slow to apply updates regardless of which browser they use (except Chrome).
The flaw being exploited could likely be used against other sites as well if users can be tricked into pasting malicious JavaScript into the browser. We will provide more information on this story as it becomes available.
Make sure that you keep informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Sophos page on Facebook, where over 140,000 people regularly share information on threats and discuss the latest security news.
Update: I appeared on Marketplace Tech Report this morning explaining this attack for the less technical folks out there. You can hear John Moe and I talking about this attack in the short clip below.
(18 November 2011, duration 4:29 minutes, size 2.1 MBytes)
I personally still have yet to even see this supposed link that seems so prevalent – clearly, it must not be something people are just able to get from, say, each other's walls, or even on Facebook itself at all. I am still in the dark about the whole thing; the most evidence I've seen thus far is other people complaining about the phenomenon.
I saw other people complaining about … namely, my 15 year old granddaughter who said "EW! It's disgusting!" but then it shows up on MY wall, though it didn't originate from me, but from someone else whose stuff posts to my wall. Really graphic nasty stuff. Yuck. I'm not so easily offended but that WAS offensive.
And me. Thank goodness
10 to one its the stupid wal-mart 100$ give away thats being spread far and wide in facebook now days i see it about 40 times a day and tell people it has malicious coding in it, they make you do all these surveys the go to a link and volia… you get bupkus! (well a headach once you learn your profile is posting porn and dead animals) People really need to learn to check info out before posting to their walls about free crap… its NOT free! If it sounds too good to be true then it more than likely is!!!
This needs to get cleaned up….now…
Two days ago, I saw a really pornographic photo on facebook by checking a friend's comment in the ticker. She had commented on this photo which was on one of her friend's posts. I mean this was hard-core porn. It was shocking to all of the people who saw and commented on it. I was so shocked that I did not think to see if I could figure out how to report it until sometime later and by then it was buried in the ticker.
Yesterday, all of the friend's in one of my groups received a message with some sort of video link… "I couldn't watch more that 15 seconds of this" or some such message. I just deleted it immediately so I have no idea what it was supposed to be.
you can find the real video minus the virus by going on youtube and typing the "I couldn't watch more than 15 seconds of this"-if you are into watching huge infected zits being popped. On FB though, it has been turned into a virus.
Browsers have already been patching for this behavior. Chrome hasn't allowed pasted JavaScript for a while, Microsoft blocks it in IE9+, and Firefox started blocking it with version 6. I recently saw a Facebook scam that tried to get around browser limitations by having the user type "j" then pasting "avascript:…", but this still fails to work in IE9 and Firefox.
Hi, and thank you for the article. I'd seen people warnings about this, but the warnings don't say how accounts get corrupted. For those of us that are less techy, could you perhaps provide an example of what Javascript looks like? I think people may be less inclined to copy/paste it, if they have an idea what to look for.
Many thanks 🙂
Sarah.
There is an example screenshot in this post http://nakedsecurity.sophos.com/2010/02/02/anatom…
Typically they start out with javascript;var=document.getelementbyID(…
So what about the part where people cannot see the offensive posts on their own wall but their friends can – is that true or not? If that is true then in fact it seems to indicate some type of flaw in Facebook, whether truly a flaw or another misguided feature, the net effect is the same.
It seems the complete picture of what is going on has yet to be fully revealed…
I’ve started operating a zero tolerance policy on Facebook, if someone posts 3 spam ir malicious links then im deleting them. I’ve tried education ut that seems to have failed. It always seems to be the same victims anyway.
I don't know if I believe this. Or at least if this is currently happening, I haven't seen it. The pornographic photos that everyone is seeing in their news feeds are posted by normal users. The problem is the people that feel the need to comment on the pictures instead of just reporting them. This makes the picture appear is every one of their friends' feeds because the way Facebook has set up the new feeds. Once a picture gets a certain number of comments, every time it is commented on, it will show up in that person's friends' (the friends that "subscribe" to that person) feeds because of its "popularity". There is also that one video going around that once you click on it, it gets sent to all your friends. I've only seen this about two times. The main problem is the photos.
I dont know about this. I do know that i was reported twice in less then 6 hours and my account is blocked for 24 hours 🙁
I HATE how BBC is copying some of this blogs text.
Damn bastards.
Why so? They make it clear who they're quoting and provide a link. Glad the NS team's writing is being referred to so regularly by places like the BBC.
I reverse-engineered the exploit, and the browser vulnerability seems to be located in the "User" module.
Well played, sir.
…and the moral of the story is to never use IE.
Let's assume for a moment that people aren't actually copying and pasting this code, and that it just takes viewing it in a browser:
If the code was subjected to server side code and filtered for all symbols ;:>< etc. and replaced with their HTML equivalents the code would be rendered useless right? Granted it still wouldn't solve people wantonly copying and pasting stuff in their address bar, but… Well, maybe that could be solved using server side code as well? Search specifically for certain known strings and show a warning above them warning the user of possible repercussions? Just a thought.
That's why I like using Google Chrome!!
I copied and reposted within facebook a warning I recieved about several viruses and now when I want to copy and paste an address from my browsers (IE and Google Chrome) the message appears in the address bar! Any suggestiions??
Do not spread warnings about virus. While I'm sure you are well meaning, I have never, EVER, seen such a warning what was accurate or true in the least. Unless you actually know what you are talking about and have researched it, then don't spread anything.
I received a message from a friend saying that a porn picture showed up on her news feeds as myself commenting on it however when she checked their is nothing on my wall and she informed me. I have not commented on such a photo however I have received the same thing on my news feed saying another friend commented on this. I have reported the photo to facebook. Do I need to delete my account or will facebook sort this issue out
IE8 is the safe bet. (for being the browser at fault and most important to stay away from)
I really don't believe the "Browser" story from Facebook, simply because I received a message to my inbox from a FB friend's account that rarely ever logs in and plays No games or aps. Something else is going on here, and I believe there was a vulnerability within Facebook itself. Perhaps it's even something being exploited within the new Timeline feature… yet FB wants to avoid any further criticism of their awful new features. It's easier to blame a Browser rather than acknowledge that they left a hole somewhere. Especially after all the problems and negative feedback they have gotten since launching the new version… (It's one thing to offer updates, it's another to FORCE it on the users.)
Another thing: Ever since that Ticker launched, I have been having sluggish and unresponsive behaviors when using Firefox.
Yeah, I won't be shocked if Facebook is trying to shift blame. Just for giggles, I'll tell you what I want the cause to be.
1. A Fake-AV is distributed to both macs and PCs. I can't find a statistic of "% of laptops running iOS" but serving this Trojan to macs would be a "worthwhile".
2. Porn is posted using the security vulnerability of HTTP over unencrypted wifi.
If this is the case, I will have difficulty not enjoying the situation.
Oh Anon…. you have outdone yourself in bringing the lulz this time. Bravo. Bravo
This isn't so unlikely now is it? Philippines are warning of criminal behavior to those posting things on FB and twitter. Now its against the law people.
So, how about the new Apostrophe Virus that attacks prose like yours? Did you get the Apostrophe Trojan, or what?
'… on their friends walls.'
… and there are other apostrophical horrors in your text.
Cant pay no attention to what noone write's if they cant write gooder.