The whole raison d’être of Facebook is to share activities between friends, and if a friend comments on the image, that means you see the comment in your news feed—along with the image. Since this is the way one assumes Facebook and Facebook users are supposed to behave, it is difficult to describe it as a security vulnerability, per se, even though it has been exploited. On the other hand, it could be considered a design flaw in the same fashion as Microsoft Windows’ AutoRun functionality—an operating system feature that was intended for use by software publishers but was mostly used by AutoRun worms for about half a decade until Microsoft severely curtailed its functionality in Windows 7.
While the images being displayed on Facebook are distasteful, the fact that users were tricked into seeing those – as opposed to, say, installing a password stealer, keylogger or Trojan bot downloader – indicates the perpetrators of this attack were more Beavis and Butthead than James Bond. What is of concern, though, is that this type of flaw could be used for more malign reasons, and even more bafflingly, the continued lack of response from the official Facebook Security page. While it is understandable that investigations into this are ongoing and that Facebook may have concerns about jeopardizing them through premature discussion, having your PR department respond to bloggers hardly indicates that this is a concern. We look forward to hearing more about this incident… from Facebook.
Aryeh Goretsky, MVP, ZVSE
Facebook, offensive content, and terse responses
While the so-called Fawkes Virus remains a nebulous idea, as I mentioned here yesterday, there’s now much more information about the wave of offensive Facebook content that some have attributed to Anonymous and/or the Fawkes thing. Here are some of the better information sources we have identified .
- Richi Jennings aggregated a number of comments for Computer World.
- Facebook was widely quoted as attributing the attacks to a browser vulnerability that facilitates cross-site scripting:
- Mashable also quoted Facebook at length.
- Aryeh Goretsky included lots of advice and links on this blog.
- Dan Goodin, in another article for the Register, indicated that Facebook have made progress on identifying the people responsible for the attacks.
I’m glad Facebook is making progress, but I wish they were a little more forthcoming. The company seems to be limiting its communications to carefully worded statements to the press: I have yet to see any direct advice to its users on the “Facebook Known Issues” page or the “Facebook Security” page.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow