The attacks against Facebook that planted pornography on users' news feeds relied on the same trickery as a campaign last spring that touted the death of Osama Bin Laden, a security researcher said today.
On Tuesday, Facebook confirmed what it called "a coordinated spam attack" that resulted in sexually explicit images, as well as photos of animal abuse, spreading on member's pages.
Facebook identified the hacker tactic used to hijack pages and bombard friends with the photos as an exploit of what it called a "self-XSS browser vulnerability."
That label -- self-XSS -- has been used by other researchers, including those at Commtouch , to describe a ploy where spam messages tell recipients to copy and paste JavaScript into their browser's address bar. The script, however, is in fact malicious and exploits a bug in the browser.
[Editor's note: Yesterday, Computerworld mistakenly identified self-XSS as a form of "clickjacking."]
To dupe users into doing their dirty work -- copying and pasting malicious JavaScript -- criminals have used a range of bait, including "exclusive" video and the giveaway of free Starbucks cards.
Last May, for instance, a Facebook spam campaign set the trap with the promise of a video supposedly showing the death of Al-Qaeda terrorist Osama Bin Laden at the hands of U.S. commandos.
In that campaign, Facebook recipients were directed to copy and paste JavaScript into their browser's address bar.
More than a year before the Bin Laden scam, a similar self-XSS attack circulated on Facebook that told recipients they could acquire a $25 Starbucks card for free.
Facebook did not specify which browsers were vulnerable to the recent attacks. But Chet Wisniewski, a Sophos security researcher, said his testing showed Google's Chrome and Mozilla's Firefox 6 and later were immune because they don't allow pasted JavaScript to execute from the address bar.
IE8 breezily executes pasted JavaScript, and -- contrary to Facebook's contention -- didn't warn us when we copied test script into the address bar.
"[But] I was able to get Internet Explorer 9 to execute JavaScript in the address bar," Wisniewski said in an email reply to questions today.
Computerworld found that Microsoft's IE8, Opera Software's Opera 11.5 and Apple's Safari 5.1 also executed test JavaScript pasted into the address bar.
IE8 and IE9 collectively account for about 39% of all browsers now in use.
Because Sophos has not seen a sample of the actual spam message, Wisniewski was unable to comment further on its makeup, or what kind of pitch the scammers used to convince people to paste malicious JavaScript into their browser.
But he did take Facebook to task. "Facebook supposedly put in self-XSS protection last spring, so it would appear to have failed," Wisniewski said.
Wisniewski was right: Just days after the Bin Laden spam hit Facebook, the company posted a document outlining additional steps it had taken to protect users. One of those steps was directed at self-XSS attacks.
"Now, when our systems detect that someone has pasted malicious code into the address bar, we will show a challenge to confirm that the person meant to do this as well as provide information on why it's a bad idea," said Facebook. "[And] we are also working with the major browser companies to fix the underlying issue that allows spammers to do this."
Zscaler, an enterprise-oriented security firm, published more information about self-XSS, which it called "self-inflicted JavaScript injection," in a blog post today.
In the post, Zscaler included a benign JavaScript snippet -- javascript:alert('test'); -- that users could copy and paste into their browser's address bar to determine if it was vulnerable to self-XSS attacks.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com .
See more articles by Gregg Keizer .
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.