Fb explains pornographic shock junk mail, pointers at browser vulnerability
Facebook have acknowledged the spam attack that began slightly more than a day ago explaining what was causing users to see pornographic and other disturbing photos on their friends walls.
According to their statement the people behind the attack are exploiting a browser vulnerability that allows “self-XSS“. XSS is shorthand in security circles for cross-site scripting.
Considering that the flaw is not within Facebook’s website it appears to have been rather difficult for them to respond to this threat.
They state that they are working diligently to determine the behavior on peoples accounts when they fall victim and to roll back and delete any malicious changes.
The bigger question is what motivated the attackers to use this flaw in such a strange way? Sophos investigate lots of Facebook scams at Naked Security, and they would guess that nearly 100% of them lead to some financial payout for the scammer.
This seems to be a purely malicious act. Facebook has a reputation for maintaining a reasonably family friendly environment and most Facebook users don’t expect dead dogs and penises showing or vaginas up on their wall.
Hopefully whichever browser it is that has the flaw will provide a fix ASAP, but as we know most people are slow to apply updates regardless of which browser they use (except Chrome).
Fb explains pornographic shock unsolicited mail, tips at browser vulnerability