Don't blame Anonymous for Facebook porn storm, says researcher

Facebook admits its 'self-XSS' defenses failed

The recent spam attack that planted pornographic images on Facebook was not the work of Anonymous, a security researcher said today.

On Tuesday, Facebook confirmed what it called "a coordinated spam attack" that resulted in sexually explicit images, as well as photos of extreme violence and animal abuse, spreading on member's pages.

Earlier that day, some had speculated that Anonymous -- the hacker collective best known for conducting distributed-denial-of-service (DDoS) attacks against Visa, MasterCard and other firms that had stripped WikiLeaks of payment processing rights -- was behind the Facebook attack.

According to Romanian security vendor BitDefender, Anonymous crafted a classic Facebook worm, codenamed "Fawkes Virus," last July, and had pledged to use it to celebrate Guy Fawkes Day, Nov. 5 -- a promise the gang later withdrew.

Guy Fawkes was arrested Nov. 5, 1605, for his part in the Gunpowder Plot to assassinate King James I of England. Anonymous has often used a mask of Fawkes as a logo for its hacking campaigns.

BitDefender's find of Fawkes -- which it announced Nov. 12, just days before the Facebook porn storm -- prompted some, including Computerworld to speculate that Anonymous' malware was the cause of the fast-spreading offensive images.

Not the case, said BitDefender.

"It looks like other Facebook attacks," said George Petre, a senior social media security researcher at BitDefender, in an email reply to questions, referring to the porn attacks against the social networking giant.

"These are ordinary scams and we believe Anonymous would use something more sophisticated," Petre continued. "We expect the Fawkes virus to be something related to malware, and to have complex mechanisms."

Facebook has said that the attacks were conducted by exploiting what it called a "self-XSS browser vulnerability."

That label -- self-XSS -- has been used by other researchers to describe a ploy where spam messages tell recipients to copy and paste JavaScript into their browser's address bar. The script, however, is in fact malicious and exploits a bug to hijack the account, post images on their news feeds, and spread the images to others.

The same tactic has been used against Facebook members before, notably last May when a campaign baited the trap with a promise of video showing the death of Al-Qaeda terrorist Osama Bin Laden at the hands of U.S. special forces.

Just days after the Bin Laden attacks, Facebook touted security improvements, including one designed to stymie some self-XSS attacks.

"Now, when our systems detect that someone has pasted malicious code into the address bar, we will show a challenge to confirm that the person meant to do this as well as provide information on why it's a bad idea," said Facebook. "[And] we are also working with the major browser companies to fix the underlying issue that allows spammers to do this."

Yesterday, Facebook admitted that the pornographic self-XSS attacks had sidestepped those defenses.

"We had since adapted our systems to the Bin Laden self-XSS variant [but] this attack used a previously-unknown spam vector," said a Facebook spokesman in an email Wednesday. "We have now tweaked our systems to better detect and block this variant."

Facebook also said that it had identified those responsible for the attacks, and was "working with our legal team to ensure appropriate consequences follow."

As BitDefender threw cold water on the idea that Anonymous plotted the attacks, other researchers said they were still in the dark about how the hackers duped users or who had created the spam.

"We still do not have solid information or screenshots," acknowledged Commtouch, whose researchers have previously discussed self-XSS attacks. "The spread of the images makes it difficult to determine the originating users who actually, or unknowingly, started the attack."

Users can prevent self-XSS attacks by refusing to copy and paste JavaScript -- or anything else -- into their browsers' address bars, experts have advised.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

See more articles by Gregg Keizer.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies