Attacks/Breaches
11/16/2011
08:44 AM
50%
50%

Facebook Blames Porn Attack On Browser Bugs

Attack spread a massive quantity of hardcore pornography and violence images via a cross-site scripting flaw.

Facebook officials on Wednesday acknowledged that the site had been hit by a spam attack that unleashed massive quantities of violent and pornographic images across users' newsfeeds for more than 24 hours. Facebook blamed the attack's success on a browser vulnerability, but said it had largely brought the attack under control.

"During this spam attack users were tricked into pasting and executing malicious JavaScript in their browser URL bar causing them to unknowingly share this offensive content. No user data or accounts were compromised during this attack," said a Facebook spokesman via email. "Our engineers have been working diligently on this self-XSS vulnerability in the browser."

Facebook declined to name which browser had the vulnerability, but "self-XSS" refers to a cross-site scripting (XSS) exploit that's launched by a user. These attacks rely on social engineering to trick users into cutting and pasting a line of code into their browser. "What would compel someone to copy and paste malicious JavaScript into their browser? Usually it is related to a giveaway, contest, or sweepstakes for some fantastic prize, and to qualify you need to paste this magic code into your browser," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

But according to Facebook's security team, the social network has now created "enforcement mechanisms" that automatically shut down malicious pages that result from the self-XSS exploit, as well as accounts that appear to have been created simply to launch these types of attacks. "Protecting the people who use Facebook from spam and malicious content is a top priority for us, and we are always working to improve our systems to isolate and remove material that violates our terms," said the Facebook spokesman. "Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible."

[Learn 5 Ways Enterprises Can Stay Safer On Facebook.]

The images spread via the attack included images of celebrity Justin Bieber, who'd been "Photoshopped" into a sexual situation, as well as pictures of a dead dog. The explicit images hit many Facebook users' newsfeeds beginning Monday and continued for at least 24 hours before Facebook brought it under control. "Considering that the flaw is not within Facebook's website it appears to have been rather difficult for them to respond to this threat," said Wisniewski at Sophos.

Why attack Facebook? "Social networks are a gold mine for attackers," said Mike Geide, senior security researcher at Zscaler ThreatLabZ, via email. "With such a large volume of users, spam and malicious content can spread very rapidly."

Most of these attacks--whatever their imagery--have a single overriding purpose: to make money for attackers, typically via pharmaceutical sales, by stealing people's personal financial information, or via clickjacking or likejacking campaigns, which redirect people to websites and generate referral income for attackers.

What's unusual about this Facebook attack, however, is that it doesn't appear to be designed to make money. "We investigate lots of Facebook scams ... and I would guess that nearly 100% of them lead to some financial payout for the scammer," said Wisniewski at Sophos. But this attack, unusually, appears to have been designed solely to attack Facebook's "reputation for maintaining a reasonably family-friendly environment," he said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
LindaJoyAdams
50%
50%
LindaJoyAdams,
User Rank: Apprentice
11/17/2011 | 2:40:07 AM
re: Facebook Blames Porn Attack On Browser Bugs
Some of my Face book friends said that it was being posted on the ' walls' of some, but the owners of those walls could not see it but others could. i have friends that personally know each other in the real world. So this was insidious as one had no idea that their wall was portraying this. I wish that we could check " no porn" when we check personal vs private. My face book ' family' is really wonderful and we share common interests, especially of our faith. For this to get in on our group is anathema. Guess we'll just have to 'pray for an exorcism' as a couple have. I'm willing to be the friend of anyone wishing to be a 'friend' but please leave your porn and extreme violence for another forum.Linda Joy Adams
Bprince
50%
50%
Bprince,
User Rank: Ninja
11/17/2011 | 12:03:35 AM
re: Facebook Blames Porn Attack On Browser Bugs
It's good advice to be skeptical of something that requires you to cut and paste code like that. That should have been a red flag. I also kind of feel that Facebook should name the browser, since the vulnerability is being actively exploited...
Brian Prince, InformationWeek/Dark Reading Comment Moderator
jrapoza
50%
50%
jrapoza,
User Rank: Apprentice
11/16/2011 | 9:00:21 PM
re: Facebook Blames Porn Attack On Browser Bugs
It's interesting in that this is basically a classic open Web style attack. Now that Facebook has become it's own platform that exists basically as a "social web", we'll probably see more attacks like this, since the bad guys always go where the most potential victims are.

Jim Rapoza is an InformationWeek Contributing Editor
ANON1241486907214
50%
50%
ANON1241486907214,
User Rank: Apprentice
11/16/2011 | 2:45:41 PM
re: Facebook Blames Porn Attack On Browser Bugs
Blame it on Rio ...

Facebook gets a bit of its own medicine. They certainly know about "social engineering" scams, that's what they do to every unsuspecting new user when they ask for their contact list. Then, of course, proceed to spam everyone in the list. Plus the Facebook way of exposing users privacy, by cross referencing email addresses and "offering" you as friend to every spammer and pornographer in the world with a Facebook account.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

CVE-2014-6132
Published: 2014-12-24
Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3 through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 allows remote authenticated users to inject arbitrary web script or HTML vi...

CVE-2014-6153
Published: 2014-12-24
The Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3.x through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.