Facebook says it has largely tamed the flood of pornographic and shocking images that spread across the social network over the past few days, but its explanation of what happened was rather vague and contradictory.
"Recently, we experienced a coordinated spam attack that exploited a browser vulnerability," the company said in a statement posted on its own blog and emailed to journalists. "Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible.
Commenters on SecurityNewsDaily's own Facebook page reported still seeing disturbing images.
"I'm still seeing the odd one or two," said Andrew Raven Williams. "They do not have it under control," said Maury Nichols.
(If you're still seeing these images, it might be a result of a mistake your friends made. But it couldn't hurt to change your Facebook password to something strong, and to prune your page of apps and add-ons you don't need or use.)
Facebook's explanation of the problem and its solution may sound impressive, but it doesn't make much sense. The company didn't say which of the five major Web browsers — Internet Explorer, Firefox, Chrome, Safari or Opera — was targeted.
And "spam" ordinarily refers to unwanted email. Facebook has seen plenty of spam-like activity, of course, with pointless survey scams promising unattainable rewards, and "likejacking" attacks that promote dubious products by hijacking users' approval.
But as Chester Wisniewski of the security firm Sophos asked in a blog posting early today (Nov. 16), "What motivated the attackers to use this flaw in such a strange way? We investigate lots of Facebook scams here at Naked Security, and I would guess that nearly 100 percent of them lead to some financial payout for the scammer."
If clickjacking really is at the heart of this, then Facebook would have more control over the problem than it would over a browser vulnerability, and the closing sentence of its statement seemed to dovetail with that theory.
"We've put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people," Facebook said.
An email to Facebook seeking clarification of the statement was not immediately returned.