Facebook says it has largely tamed the flood of pornographic and shocking images that spread across the social network over the past few days, but its explanation of what happened was rather vague and contradictory.
"Recently, we experienced a coordinated spam attack that exploited a browser vulnerability," the company said in a statement posted on its own blog and emailed to journalists. "Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible.
"During this spam attack users were tricked into pasting and executing malicious JavaScript in their browser URL bar causing them to unknowingly share this offensive content," the statement further explained. "Our engineers have been working diligently on this self-XSS vulnerability in the browser. We've built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it."
Commenters on SecurityNewsDaily's own Facebook page reported still seeing disturbing images.
"I'm still seeing the odd one or two," said Andrew Raven Williams. "They do not have it under control," said Maury Nichols.
(If you're still seeing these images, it might be a result of a mistake your friends made. But it couldn't hurt to change your Facebook password to something strong, and to prune your page of apps and add-ons you don't need or use.)
Facebook's explanation of the problem and its solution may sound impressive, but it doesn't make much sense. The company didn't say which of the five major Web browsers — Internet Explorer, Firefox, Chrome, Safari or Opera — was targeted.
Nor does it seem likely that ordinary users would be copying and pasting malicious JavaScript into their browsers' address bars. [UPDATE: But apparently that does happen, astoundingly. This posting at ZScaler's ThreatLab blog explains how it works, though it's hard to believe anyone would fall for something that amounts to handing the keys to your car to a total stranger.]
[ Porn and Gore Flood Facebook ]
"XSS" is developer shorthand for " cross-site scripting," a common attack that forces a browser window to execute JavaScript commands that originate in another Web page. That would imply that the attack is coming from outside Facebook as well as targeting a browser over which it has no control, both of which would limit Facebook's ability to respond.
And "spam" ordinarily refers to unwanted email. Facebook has seen plenty of spam-like activity, of course, with pointless survey scams promising unattainable rewards, and "likejacking" attacks that promote dubious products by hijacking users' approval.
But as Chester Wisniewski of the security firm Sophos asked in a blog posting early today (Nov. 16), "What motivated the attackers to use this flaw in such a strange way? We investigate lots of Facebook scams here at Naked Security, and I would guess that nearly 100 percent of them lead to some financial payout for the scammer."
Wisniewski's colleague Graham Cluley told Computerworld that the Facebook explanation more accurately described "clickjacking," a common phenomenon in which users are tricked into clicking hidden Facebook buttons, often on other sites, that trigger JavaScript activity on Facebook.
If clickjacking really is at the heart of this, then Facebook would have more control over the problem than it would over a browser vulnerability, and the closing sentence of its statement seemed to dovetail with that theory.
"We've put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people," Facebook said.
An email to Facebook seeking clarification of the statement was not immediately returned.