Much Ado About Facebook, Part II

Since the last Much Ado About Facebook post on the Blog, we have written additional articles, received a few comments, and also received updated information on the “threat,” so it seems that now is a good time for a follow-up article.  Reports continue to come in of pornographic and violent imagery on Facebook, and Facebook’s public relations department has confirmed the issue to at least two bloggers at Mashable and ZDNet, calling it a “self-XSS vulnerability” caused by their users pasting malicious JavaScript into their web browsers’ address bars.  Additionally, reports on CNN and elsewhere indicate that the culprits may have already been identified

The whole raison d’être of Facebook is to share activities between friends, and if a friend comments on the image, that means you see the comment in your news feed—along with the image.  Since this is the way one assumes Facebook and Facebook users are supposed to behave, it is difficult to describe it as a security vulnerability, per se, even though it has been exploited.  On the other hand, it could be considered a design flaw in the same fashion as Microsoft Windows’ AutoRun functionality—an operating system feature that was intended for use by software publishers but was mostly used by AutoRun worms for about half a decade until Microsoft severely curtailed its functionality in Windows 7.

While the images being displayed on Facebook are distasteful, the fact that users were tricked into seeing those – as opposed to, say, installing a password stealer, keylogger or Trojan bot downloader – indicates the perpetrators of this attack were more Beavis and Butthead than James Bond.  What is of concern, though, is that this type of flaw could be used for more malign reasons, and even more bafflingly, the continued lack of response from the official Facebook Security page.  While it is understandable that investigations into this are ongoing and that Facebook may have concerns about jeopardizing them through premature discussion, having your PR department respond to bloggers hardly indicates that this is a concern.  We look forward to hearing more about this incident… from Facebook.

Aryeh Goretsky, MVP, ZVSE
Distinguished Researcher

Facebook, offensive content, and terse responses

While the so-called Fawkes Virus remains a nebulous idea, as I mentioned here yesterday, there’s now much more information about the wave of offensive Facebook content that some have attributed to Anonymous and/or the Fawkes thing. Here are some of the better information sources we have identified .

  • Richi Jennings aggregated a number of comments for Computer World.
  • Facebook was widely quoted as attributing the attacks to a browser vulnerability that facilitates cross-site scripting:
    • Softpedia
    • CNN
    • Bloomberg
    • John Leyden in the Register  quoted Facebook at some length, and pointed out that the site seemed to be attributing the attack to social engineering and user error rather than a browser flaw or a site scripting error: “During this spam attack users were tricked into pasting and executing malicious javascript in their browser URL bar causing them to unknowingly share this offensive content.”
    • Mashable also quoted Facebook at length.
  • Aryeh Goretsky included lots of advice and links on this blog.
  • Dan Goodin, in another article for the Register, indicated that Facebook have made progress on identifying the people responsible for the attacks.

I’m glad Facebook is making progress, but I wish they were a little more forthcoming. The company seems to be limiting its communications to carefully worded statements to the press: I have yet to see any direct advice to its users on the “Facebook Known Issues” page or the “Facebook Security” page.

ESET Senior Research Fellow

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s