Facebook porn storm used same tactics as May's Bin Laden spam

IE8, IE9, Opera and Safari vulnerable to 'self-XSS' attacks

The attacks against Facebook that planted pornography on users' news feeds relied on the same trickery as a campaign last spring that touted the death of Osama Bin Laden, a security researcher said today.

On Tuesday, Facebook confirmed what it called "a coordinated spam attack" that resulted in sexually explicit images, as well as photos of animal abuse, spreading on member's pages.

Facebook identified the hacker tactic used to hijack pages and bombard friends with the photos as an exploit of what it called a "self-XSS browser vulnerability."

That label -- self-XSS -- has been used by other researchers, including those at Commtouch, to describe a ploy where spam messages tell recipients to copy and paste JavaScript into their browser's address bar. The script, however, is in fact malicious and exploits a bug in the browser.

[Editor's note: Yesterday, Computerworld mistakenly identified self-XSS as a form of "clickjacking."]

To dupe users into doing their dirty work -- copying and pasting malicious JavaScript -- criminals have used a range of bait, including "exclusive" video and the giveaway of free Starbucks cards.

Last May, for instance, a Facebook spam campaign set the trap with the promise of a video supposedly showing the death of Al-Qaeda terrorist Osama Bin Laden at the hands of U.S. commandos.

In that campaign, Facebook recipients were directed to copy and paste JavaScript into their browser's address bar.

More than a year before the Bin Laden scam, a similar self-XSS attack circulated on Facebook that told recipients they could acquire a $25 Starbucks card for free.

Facebook did not specify which browsers were vulnerable to the recent attacks. But Chet Wisniewski, a Sophos security researcher, said his testing showed Google's Chrome and Mozilla's Firefox 6 and later were immune because they don't allow pasted JavaScript to execute from the address bar.

Facebook security test
IE8 breezily executes pasted JavaScript, and -- contrary to Facebook's contention -- didn't warn us when we copied test script into the address bar.
1 2 Page 1
The brave new world of Windows 10 license activation
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies