Facebook porn storm used same tactics as May's Bin Laden spam

IE8, IE9, Opera and Safari vulnerable to 'self-XSS' attacks

1 2 Page 2
Page 2 of 2

"[But] I was able to get Internet Explorer 9 to execute JavaScript in the address bar," Wisniewski said in an email reply to questions today.

Computerworld found that Microsoft's IE8, Opera Software's Opera 11.5 and Apple's Safari 5.1 also executed test JavaScript pasted into the address bar.

IE8 and IE9 collectively account for about 39% of all browsers now in use.

Because Sophos has not seen a sample of the actual spam message, Wisniewski was unable to comment further on its makeup, or what kind of pitch the scammers used to convince people to paste malicious JavaScript into their browser.

But he did take Facebook to task. "Facebook supposedly put in self-XSS protection last spring, so it would appear to have failed," Wisniewski said.

Wisniewski was right: Just days after the Bin Laden spam hit Facebook, the company posted a document outlining additional steps it had taken to protect users. One of those steps was directed at self-XSS attacks.

"Now, when our systems detect that someone has pasted malicious code into the address bar, we will show a challenge to confirm that the person meant to do this as well as provide information on why it's a bad idea," said Facebook. "[And] we are also working with the major browser companies to fix the underlying issue that allows spammers to do this."

Zscaler, an enterprise-oriented security firm, published more information about self-XSS, which it called "self-inflicted JavaScript injection," in a blog post today.

In the post, Zscaler included a benign JavaScript snippet -- javascript:alert('test'); -- that users could copy and paste into their browser's address bar to determine if it was vulnerable to self-XSS attacks.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

See more articles by Gregg Keizer.

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
  
Shop Tech Products at Amazon