BitDepth 809 - November 22

Seen some naughty photographs in your Facebook stream? Here's why.
Facebook spam gets naughty
Mark Zuckerberg speaking at the F8 Facebook Developer’s Conference in September. Photo courtesy Facebook.

Early last week, surprising images started popping up in the streams of Facebook’s users, some of them were outrageous images that crashed right through the boundaries of good taste, others were overtly sexual.

The images came as a shock to the people who were listed as posting them (most couldn’t seem them until viewing friend’s streams), and not just because of what it’s possible to do with Photoshop and a dirty mind. The incident made it clear that Facebook remains vulnerable to hacker attacks.

The social network is usually very industrious about dealing with the security breaches that lead to surges of spam in its user’s newsfeeds and in eliminating software running on its systems designed to harvest and exploit the passwords of the site’s 800 million users.

Early investigations of this hacker attack suggest that it might not have been another rogue application, the usual source of compromised accounts, but an example of UI redressing or more popularly, "clickjacking," a more recent method of redirecting clicks that are directed to a button or other user interface element to perform another action entirely.

Facebook posted a statement on the issue, describing the incident as “a coordinated spam attack that exploited a browser vulnerability.”
Describing the specific exploit as a “self-XSS vulnerability,” Facebook said that “users were tricked into pasting and executing malicious javascript in their browser URL bar causing them to unknowingly share this offensive content.”

The company claimed that it had instituted enforcement mechanisms to shut down the pages and accounts that attempt to exploit the vulnerability.
Clickjacking can be avoided by using web extensions such as
NoScript for Firefox and Ghostery, which works on all major browsers. Microsoft’s Internet Explorer 8 includes some preliminary warning mechanisms to guard against this exploit.

Some of the finger pointing has been directed at Facebook itself, which takes a backwards approach to user security, arbitrarily opening up user’s profiles and content with service upgrades and requiring its users to manage several pages worth of settings to lock down their accounts.

Facebook’s long-standing position is that they run a social site that’s based on sharing of content and information and for that reason, open access to profile information and content is both desirable and necessary.
Unfortunately, many users trust in the clean design and professional look of the site and post content that they don’t realise, until it’s sometimes too late, that almost anyone can view it.

Facebook’s enthusiasm to have developers participate in making its service lively, while sometimes schizophrenic (the company deprecates apps and moves them off premium screen real estate regularly), has led to more than a million developers being certified to create software for the service and most of it falls far short of the standards of Farmville.

Some of the programming produced by this large developer base, unfortunately, is designed to capture information about the attractively large number of Internet users who populate the site or lure them off the site entirely to be scammed of their money.

If a stream of naughty images caught you by surprise last week, you might be thinking twice about continuing to use the service. Before you decide, you might want to take a look at
CSO’s ten reasons to quit Facebook.
blog comments powered by Disqus