Facebook 'eliminates' spam after coordinated attack

Summary:Facebook has said that the coordinated spam attack on the social network has now been 'eliminated', but says it was a browser flaw, and not its fault.

Facebook has said that is has rid the world's largest social network of most of the pornographic, graphic and violent imagery that was posted as part of a co-ordinated spam attack.

The social networking giant had blamed a vulnerability that enabled a JavaScript link to be executed maliciously in their browser's address bar, which perpetuated the spread of graphic imagery of mutilated animals, pseudo-images of supposed celebrities and gory violence.

Engineers have been working night and day to eliminate "most of the spam" caused by the attack, as the company works to "improve our systems to better defend against similar attacks in the future", a Facebook spokesperson said.

While Facebook said that "no user data or accounts were compromised during the attack", the company said that the attack had now come to a close.

The social network blames a browser flaw that allowed the "self-XSS vulnerability" to go ahead, a spokesperson said, but declined to comment on which browsers had the flaw.

While this kind of linkspam has been seen on Facebook before, columnist Emil Protalinski reports, the social network has not seen this level of attack to date.

ZDNet columnist Violet Blue, who first broke the story, said that users have "avoided the site, and facing down the chore of deactivating accounts to prevent assaulting friends, family and co-workers with unwanted imagery".

Facebook has said that it "knows" who orchestrated the attack, but a BBC source said that it was not the notorious hacktivist group Anonymous.

Some security experts had said that it was difficult for the social networking giant to respond to this threat, partly because the source of the vulnerability was in a browser flaw rather than with Facebook itself.

Sophos security expert Chester Wisniewski warned users to update their browser, and not to directly enter what appears to be non-URL codes into the browsers' address bar.

Related:

Topics: Security, Enterprise Software, Social Enterprise

About

Zack Whittaker is a writer-editor for ZDNet, and sister sites CNET and CBS News. He is based in the New York newsroom. His PGP key is: EB6CEEA5.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.