Blog For Noob Random thought of a Noob Blogger
Fb explains pornographic shock junk mail, pointers at browser vulnerability
Facebook have acknowledged the spam attack that began slightly more than a day ago explaining what was causing users to see pornographic and other disturbing photos on their friends walls.
According to their statement the people behind the attack are exploiting a browser vulnerability that allows “self-XSS“. XSS is shorthand in security circles for cross-site scripting.
What does this mean? Cross-site scripting essentially allows an attacker to execute JavaScript code in your browser that can access and control the website you are interacting with.
Facebook says that users were being enticed to copy and paste the offending JavaScript into their address/location bar in the affected web browser. Which I do not know which browser is vulnerable at this time.
What would compel someone to copy and paste malicious JavaScript into their browser? Usually it is related to a giveaway, contest or sweepstakes for some fantastic prize, and to qualify you need to paste this magic code into your browser.
Considering that the flaw is not within Facebook’s website it appears to have been rather difficult for them to respond to this threat.
They state that they are working diligently to determine the behavior on peoples accounts when they fall victim and to roll back and delete any malicious changes.
The bigger question is what motivated the attackers to use this flaw in such a strange way? Sophos investigate lots of Facebook scams at Naked Security, and they would guess that nearly 100% of them lead to some financial payout for the scammer.
This seems to be a purely malicious act. Facebook has a reputation for maintaining a reasonably family friendly environment and most Facebook users don’t expect dead dogs and penises showing or vaginas up on their wall.
Hopefully whichever browser it is that has the flaw will provide a fix ASAP, but as we know most people are slow to apply updates regardless of which browser they use (except Chrome).
The flaw being exploited might possible be used towards different websites as smartly if customers can also be tricked into pasting malicious JavaScript into the browser.
Fb explains pornographic shock unsolicited mail, tips at browser vulnerability
