Facebook discovers how porn and violence spread on news feeds


16 Nov 2011

Facebook has found the reason why many users saw images of pornography and violence flood their news feeds, which was due to users being tricked into pasting malicious code into their address bars.

Many Facebook users, mostly located in the US, complained their news feeds were being flooded with images of explicit pornography and extreme violence. A number of users’ accounts were hijacked to post this content without their knowledge.

Facebook has since discovered what happened, saying it was a co-ordinated spam attack which exploited a browser vulnerability. No specific browser was mentioned. The spokesperson also says Facebook has eliminated most of the spam from the attack.

“During this spam attack, users were tricked into pasting and executing malicious Javascript in their browser URL bars, causing them to unknowingly share this offensive content,” says a spokesperson.

“Our engineers have been working diligently on this self-XSS vulnerability in the browser. We’ve built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it.

“We also put those impacted through educational checkpoints so they know how to protect themselves. We’ve put in place back-end measures to reduce the rate of these attacks and will continue to iterate on our defences to find new ways to protect people.”

The spokesperson advised users never to copy and paste unknown code into the address bar, to always use an up-to-date browser and to report suspicious behaviour on Facebook.

Chester Wisniewski, senior security adviser at Sophos Canada, suggests that scammers may have lured users into the spam attack by offering a fake contest, where users would have to paste the malicious code into their browser to ‘win’.

While the culprits have not been discovered, Wisniewski believes the attack was done as purely a malicious act against Facebook.

“Facebook has a reputation for maintaining a reasonably family-friendly environment and most Facebook users don’t expect dead dogs and penises showing up on their wall,” he says.