Facebook says that it has brought the cyber attack that saw its social network flooded with smutty content under control and that its enforcement team has already identified those responsible and is taking legal action.
Yesterday it emerged that an influx of graphic images which depicted pornography and extreme violence flooded numerous Facebook users’ news feeds without their knowledge.
The mechanism of the attack is understood to be a self-inflicted XSS vulnerability whereby users were tricked into inserting malicious javascript into their browser bar.
“In addition to the engineering teams that build tools to block spam we also have a dedicated enforcement team that has already identified those responsible and is working with our legal team to ensure appropriate consequences follow,” the company said in a statement this afternoon.
Many theories have abounded as to the origin of the attack and it was suspected it was the threatened attack by Anonymous that was meant to have occurred on 5 November that was occurring. Either way, for whoever it is that Facebook has identified the consequences could be dire. ‘Spam King’ Sanford Wallace, who compromised 500,000 accounts to send 2.7m spam messages was fined US$711m by a judge last year. A US$873m judgement was made against spammers Adam Guerbuez and Atlantis Blue Capital in 2008.
“Protecting the people who use Facebook from spam and malicious content is a top priority for us. Recently, we experienced a spam attack that exploited a browser vulnerability. Our team responded quickly and we have eliminated most of the spam caused by this attack. We are now working to improve our systems to better defend against similar attacks in the future,” Facebook said.
Self-XSS vulnerability in browsers
“During this spam attack users were tricked into pasting and executing malicious javascript in their browser URL bar causing them to unknowingly share this offensive content. No user data or accounts were compromised during this attack.
Facebook said that engineers have been working diligently on the self-XSS vulnerability in the browser.
“We’ve built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it. We also been put those impacted through educational checkpoints so they know how to protect themselves. We’ve put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defences to find new ways to protect people.”
Facebook urged users to never copy and paste unknown code into their address bars, always use an up-to-date browser and use the “Report” links on its site to report suspicious behaviour or content on you or your friends’ accounts.
