Facebook Users Subjected to Loads of Porn Spam

For some people, the last thing they expect or want to see when they log onto Facebook are lewd and provocative sexual images posted on their news feeds. A mix of embarrassment, disgust, and shock can fill a person, especially when that person happens to be using Facebook at work. Nevertheless, that is exactly what many Facebook users have been experiencing this month.

According to Graham Cluley of the antivirus firm Sophos, attackers are using “clickjacking” to insert malicious code into a user’s browser. When a user goes to what seems like a normal website and clicks on a button, the clickjacking code covers the actual button with an invisible layer. Most users do not even know they have been jacked.

Facebook representatives announced Tuesday that they had identified the methods the hackers were using to exploit Facebook pages and called it a “self-XSS browser vulnerability”. XSS, which stands for cross-site-scripting, usually takes advantage of vulnerabilities in software to insert malware, or even take control of the unsuspecting server or PC. In this case, the self-XSS may bait the user with promises of free giveaways or “exclusive” videos that they cannot resist clicking.

According to Sophos, the exploit requires the user to copy and paste a Javascript code into the browser’s address bar, an exploit which Google Chrome and Mozilla Firefox had already fixed. Sophos testers were able to easily execute javascript code from the Internet Explorer 8 and 9 address bar, but Facebook did not specify which browsers were affected by the spamming.

Facebook reportedly took steps to prevent self-XSS attacks after the Bin Laden spam that hit the social network’s news feeds last spring. Now it appears those security measures were not enough.