Facebook have acknowledged the spam attack that began slightly more than a day ago explaining what was causing users to see pornographic and other disturbing photos on their friends walls.
According to Facebook’s statement the people behind the attack are exploiting a browser vulnerability that allows “self-XSS”. XSS is shorthand in security circles for cross-site scripting.
Considering that the flaw is not within Facebook’s website it appears to have been rather difficult for them to respond to this threat.
They state that they are working diligently to determine the behavior on peoples accounts when they fall victim and to roll back and delete any malicious changes.
The bigger question is what motivated the attackers to use this flaw in such a strange way? We investigate lots of Facebook scams here at Naked Security, and I would guess that nearly 100% of them lead to some financial payout for the scammer.
This seems to be a purely malicious act. Facebook has a reputation for maintaining a reasonably family friendly environment and most Facebook users don’t expect dead dogs and penises showing up on their wall.
Hopefully whichever browser it is that has the flaw will provide a fix ASAP, but as we know most people are slow to apply updates regardless of which browser they use (except Chrome).
Make sure that you keep informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Sophos page on Facebook, where over 140,000 people regularly share information on threats and discuss the latest security news.
Update: I appeared on Marketplace Tech Report this morning explaining this attack for the less technical folks out there. You can hear John Moe and I talking about this attack in the short clip below.
(18 November 2011, duration 4:29 minutes, size 2.1 MBytes)