Facebook explains pornographic shock spam, hints at browser vulnerability

Facebook SecurityFacebook have acknowledged the spam attack that began slightly more than a day ago explaining what was causing users to see pornographic and other disturbing photos on their friends walls.

According to Facebook’s statement the people behind the attack are exploiting a browser vulnerability that allows “self-XSS”. XSS is shorthand in security circles for cross-site scripting.

What does this mean? Cross-site scripting essentially allows an attacker to execute JavaScript code in your browser that can access and control the website you are interacting with.

Facebook says that users were being enticed to copy and paste the offending JavaScript into their address/location bar in the affected web browser. We do not know which browser is vulnerable at this time.

What would compel someone to copy and paste malicious JavaScript into their browser? Usually it is related to a giveaway, contest or sweepstakes for some fantastic prize, and to qualify you need to paste this magic code into your browser.

Considering that the flaw is not within Facebook’s website it appears to have been rather difficult for them to respond to this threat.

They state that they are working diligently to determine the behavior on peoples accounts when they fall victim and to roll back and delete any malicious changes.

CoinsThe bigger question is what motivated the attackers to use this flaw in such a strange way? We investigate lots of Facebook scams here at Naked Security, and I would guess that nearly 100% of them lead to some financial payout for the scammer.

This seems to be a purely malicious act. Facebook has a reputation for maintaining a reasonably family friendly environment and most Facebook users don’t expect dead dogs and penises showing up on their wall.

Hopefully whichever browser it is that has the flaw will provide a fix ASAP, but as we know most people are slow to apply updates regardless of which browser they use (except Chrome).

The flaw being exploited could likely be used against other sites as well if users can be tricked into pasting malicious JavaScript into the browser. We will provide more information on this story as it becomes available.

Make sure that you keep informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Sophos page on Facebook, where over 140,000 people regularly share information on threats and discuss the latest security news.

Update: I appeared on Marketplace Tech Report this morning explaining this attack for the less technical folks out there. You can hear John Moe and I talking about this attack in the short clip below.

(18 November 2011, duration 4:29 minutes, size 2.1 MBytes)