The whole raison d’être of Facebook is to share activities between friends, and if a friend comments on the image, that means you see the comment in your news feed—along with the image. Since this is the way one assumes Facebook and Facebook users are supposed to behave, it is difficult to describe it as a security vulnerability, per se, even though it has been exploited. On the other hand, it could be considered a design flaw in the same fashion as Microsoft Windows’ AutoRun functionality—an operating system feature that was intended for use by software publishers but was mostly used by AutoRun worms for about half a decade until Microsoft severely curtailed its functionality in Windows 7.
While the images being displayed on Facebook are distasteful, the fact that users were tricked into seeing those – as opposed to, say, installing a password stealer, keylogger or Trojan bot downloader – indicates the perpetrators of this attack were more Beavis and Butthead than James Bond. What is of concern, though, is that this type of flaw could be used for more malign reasons, and even more bafflingly, the continued lack of response from the official Facebook Security page. While it is understandable that investigations into this are ongoing and that Facebook may have concerns about jeopardizing them through premature discussion, having your PR department respond to bloggers hardly indicates that this is a concern. We look forward to hearing more about this incident… from Facebook.
Aryeh Goretsky, MVP, ZVSE
Author Aryeh Goretsky, ESET