Since yesterday’s Much Ado About Facebook post in the ESET Threat Blog, we have written additional articles, received a few comments, and also received updated information on the “threat,” so it seems that now is a good time for a follow-up article.  Reports continue to come in of pornographic and violent imagery on Facebook, and Facebook’s public relations department has confirmed the issue to at least two bloggers at Mashable and ZDNet, calling it a “self-XSS vulnerability” caused by their users pasting malicious JavaScript into their web browsers’ address bars.  Additionally, reports on CNN and elsewhere indicate that the culprits may have already been identified

The whole raison d’être of Facebook is to share activities between friends, and if a friend comments on the image, that means you see the comment in your news feed—along with the image.  Since this is the way one assumes Facebook and Facebook users are supposed to behave, it is difficult to describe it as a security vulnerability, per se, even though it has been exploited.  On the other hand, it could be considered a design flaw in the same fashion as Microsoft Windows’ AutoRun functionality—an operating system feature that was intended for use by software publishers but was mostly used by AutoRun worms for about half a decade until Microsoft severely curtailed its functionality in Windows 7.

While the images being displayed on Facebook are distasteful, the fact that users were tricked into seeing those – as opposed to, say, installing a password stealer, keylogger or Trojan bot downloader – indicates the perpetrators of this attack were more Beavis and Butthead than James Bond.  What is of concern, though, is that this type of flaw could be used for more malign reasons, and even more bafflingly, the continued lack of response from the official Facebook Security page.  While it is understandable that investigations into this are ongoing and that Facebook may have concerns about jeopardizing them through premature discussion, having your PR department respond to bloggers hardly indicates that this is a concern.  We look forward to hearing more about this incident… from Facebook.

 

Regards,

 

Aryeh Goretsky, MVP, ZVSE
Distinguished Researcher