Facebook porn storm used same tactics as May’s Bin Laden spam
IE8, IE9, Opera and Safari vulnerable to 'self-XSS' attacks
The attacks against Facebook that planted pornography on users' news feeds relied on the same trickery as a campaign last spring that touted the death of Osama Bin Laden, a security researcher said today.
On Tuesday, Facebook confirmed what it called "a coordinated spam attack" that resulted in sexually explicit images, as well as photos of animal abuse, spreading on member's pages.
Facebook identified the hacker tactic used to hijack pages and bombard friends with the photos as an exploit of what it called a "self-XSS browser vulnerability."
That label -- self-XSS -- has been used by other researchers, including those at Commtouch, to describe a ploy where spam messages tell recipients to copy and paste JavaScript into their browser's address bar. The script, however, is in fact malicious and exploits a bug in the browser.
To dupe users into doing their dirty work -- copying and pasting malicious JavaScript -- criminals have used a range of bait, including "exclusive" video and the giveaway of free Starbucks cards.
Last May, for instance, a Facebook spam campaign set the trap with the promise of a video supposedly showing the death of Al-Qaeda terrorist Osama Bin Laden at the hands of U.S. commandos.
In that campaign, Facebook recipients were directed to copy and paste JavaScript into their browser's address bar.
More than a year before the Bin Laden scam, a similar self-XSS attack circulated on Facebook that told recipients they could acquire a $25 Starbucks card for free.
Facebook did not specify which browsers were vulnerable to the recent attacks. But Chet Wisniewski, a Sophos security researcher, said his testing showed Google's Chrome and Mozilla's Firefox 6 and later were immune because they don't allow pasted JavaScript to execute from the address bar.
(Source: computerworld.com)
