Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Facebook porn storm used same tactics as May's Bin Laden spam

IE8, IE9, Opera and Safari vulnerable to 'self-XSS' attacks that dupe users into pasting rogue JavaScript into browser address bar

The attacks against Facebook that planted pornography on users' news feeds relied on the same trickery as a campaign last spring that touted the death of Osama Bin Laden, a security researcher said today.

On Tuesday, Facebook confirmed what it called "a coordinated spam attack" that resulted in sexually explicit images, as well as photos of animal abuse, spreading on member's pages.

Facebook identified the hacker tactic used to hijack pages and bombard friends with the photos as an exploit of what it called a "self-XSS browser vulnerability."

That label -- self-XSS -- has been used by other researchers, including those at Commtouch , to describe a ploy where spam messages tell recipients to copy and paste JavaScript into their browser's address bar. The script, however, is in fact malicious and exploits a bug in the browser.

[Editor's note: Yesterday, Computerworld mistakenly identified self-XSS as a form of "clickjacking."]

To dupe users into doing their dirty work -- copying and pasting malicious JavaScript -- criminals have used a range of bait, including "exclusive" video and the giveaway of free Starbucks cards.

Last May, for instance, a Facebook spam campaign set the trap with the promise of a video supposedly showing the death of Al-Qaeda terrorist Osama Bin Laden at the hands of U.S. commandos.

In that campaign, Facebook recipients were directed to copy and paste JavaScript into their browser's address bar.

More than a year before the Bin Laden scam, a similar self-XSS attack circulated on Facebook that told recipients they could acquire a $25 Starbucks card for free.

Facebook did not specify which browsers were vulnerable to the recent attacks. But Chet Wisniewski, a Sophos security researcher, said his testing showed Google's Chrome and Mozilla's Firefox 6 and later were immune because they don't allow pasted JavaScript to execute from the address bar.

IE8 breezily executes pasted JavaScript, and -- contrary to Facebook's contention -- didn't warn us when we copied test script into the address bar.

"[But] I was able to get Internet Explorer 9 to execute JavaScript in the address bar," Wisniewski said in an email reply to questions today.

Computerworld found that Microsoft's IE8, Opera Software's Opera 11.5 and Apple's Safari 5.1 also executed test JavaScript pasted into the address bar.

IE8 and IE9 collectively account for about 39% of all browsers now in use.

Because Sophos has not seen a sample of the actual spam message, Wisniewski was unable to comment further on its makeup, or what kind of pitch the scammers used to convince people to paste malicious JavaScript into their browser.

But he did take Facebook to task. "Facebook supposedly put in self-XSS protection last spring, so it would appear to have failed," Wisniewski said.

Wisniewski was right: Just days after the Bin Laden spam hit Facebook, the company posted a document outlining additional steps it had taken to protect users. One of those steps was directed at self-XSS attacks.

"Now, when our systems detect that someone has pasted malicious code into the address bar, we will show a challenge to confirm that the person meant to do this as well as provide information on why it's a bad idea," said Facebook. "[And] we are also working with the major browser companies to fix the underlying issue that allows spammers to do this."

Zscaler, an enterprise-oriented security firm, published more information about self-XSS, which it called "self-inflicted JavaScript injection," in a blog post today.

In the post, Zscaler included a benign JavaScript snippet -- javascript:alert('test'); -- that users could copy and paste into their browser's address bar to determine if it was vulnerable to self-XSS attacks.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com .

See more articles by Gregg Keizer .

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Apple, Commtouch, Facebook, Google, Microsoft, Mozilla, Opera Software, Sophos, Starbucks, Topic
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: antispam, Cybercrime and Hacking, Facebook, internet, Internet-based applications and services, Malware and Vulnerabilities, security, social networking, Web 2.0 and Web Apps
Latest Blog Posts
Whitepapers
  • Optimizing Data Quality in the Enterprise - How to Tackle Your Bad Information
    Data quality – the measure of data accuracy, completeness, and consistency across a business – has become the core focus of information management efforts among many of today’s organizations. Problems with data quality continue to plague corporations of all types and sizes. In this paper, we will discuss some techniques companies can implement to enhance data quality across the entire enterprise. We will also highlight data quality management solutions, which provide businesses with the ability to effectively and economically enhance the correctness, completeness, and consistency of information in each and every system within their technology infrastructure.
    Learn more »
  • Consolidation Without Compromise
    Virtualisation of computer, storage and infrastructure is enabling the transformation of enterprise datacentres into private clouds. The impact is an unprecedented ability to consolidate infrastructure without compromise: no change to service level agreements (SLAs), no loss of performance or scale, and no regression in the organisation’s overall security posture. Read on.
    Learn more »
  • Enterprise Buyers Guide for Application Development Software
    New software delivery models, leaner and faster development methodologies, emerging mobile apps and the impact of open source are all key trends changing the way software will be procured in the future. To help organisations understand this changing landscape and to provide a framework for procurement Computerworld has created an enterprise buyers guide which includes the top technology trends in applications, programming, architectures and methodologies. It profiles the software vendors to watch, addresses the security concerns caused by Web 2.0 and examines the impact of Open Source Software (OSS).
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments