I have yet to see any direct advice to Facebook users on the “Facebook Known Issues” page or the “Facebook Security” page.
While the so-called Fawkes Virus remains a nebulous idea, as I mentioned here yesterday, there's now much more information about the wave of offensive Facebook content that some have attributed to Anonymous and/or the Fawkes thing. Here are some of the better information sources we have identified .
- Richi Jennings aggregated a number of comments for Computer World.
- Facebook was widely quoted as attributing the attacks to a browser vulnerability that facilitates cross-site scripting:
- Softpedia
- CNN
- Bloomberg
- John Leyden in the Register quoted Facebook at some length, and pointed out that the site seemed to be attributing the attack to social engineering and user error rather than a browser flaw or a site scripting error: "During this spam attack users were tricked into pasting and executing malicious javascript in their browser URL bar causing them to unknowingly share this offensive content."
- Mashable also quoted Facebook at length.
- Aryeh Goretsky included lots of advice and links on this blog.
- Dan Goodin, in another article for the Register, indicated that Facebook have made progress on identifying the people responsible for the attacks.
I'm glad Facebook is making progress, but I wish they were a little more forthcoming. The company seems to be limiting its communications to carefully worded statements to the press: I have yet to see any direct advice to its users on the "Facebook Known Issues" page or the "Facebook Security" page.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Discussion