Facebook 'eliminates' spam after coordinated attack

Facebook 'eliminates' spam after coordinated attack

Summary: Facebook has said that the coordinated spam attack on the social network has now been 'eliminated', but says it was a browser flaw, and not its fault.


Facebook has said that is has rid the world's largest social network of most of the pornographic, graphic and violent imagery that was posted as part of a co-ordinated spam attack.

The social networking giant had blamed a vulnerability that enabled a JavaScript link to be executed maliciously in their browser's address bar, which perpetuated the spread of graphic imagery of mutilated animals, pseudo-images of supposed celebrities and gory violence.

Engineers have been working night and day to eliminate "most of the spam" caused by the attack, as the company works to "improve our systems to better defend against similar attacks in the future", a Facebook spokesperson said.

While Facebook said that "no user data or accounts were compromised during the attack", the company said that the attack had now come to a close.

The social network blames a browser flaw that allowed the "self-XSS vulnerability" to go ahead, a spokesperson said, but declined to comment on which browsers had the flaw.

While this kind of linkspam has been seen on Facebook before, columnist Emil Protalinski reports, the social network has not seen this level of attack to date.

ZDNet columnist Violet Blue, who first broke the story, said that users have "avoided the site, and facing down the chore of deactivating accounts to prevent assaulting friends, family and co-workers with unwanted imagery".

Facebook has said that it "knows" who orchestrated the attack, but a BBC source said that it was not the notorious hacktivist group Anonymous.

Some security experts had said that it was difficult for the social networking giant to respond to this threat, partly because the source of the vulnerability was in a browser flaw rather than with Facebook itself.

Sophos security expert Chester Wisniewski warned users to update their browser, and not to directly enter what appears to be non-URL codes into the browsers' address bar.


Topics: Security, Browser, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Would be funny if it turned out to be someone on the G+ team :)

    That would make me ROFLMAO.
    Johnny Vegas
  • RE: Facebook 'eliminates' spam after coordinated attack

    Internet explorer, we all know it!
    • RE: Facebook 'eliminates' spam after coordinated attack

      And Chrome too
    • RE: Facebook 'eliminates' spam after coordinated attack

      @xkizer Not IE9. You can't paste a javascript: URL into the address bar in IE9 (it strips out the javascript: prefix). You can manually type javascript: of course.
  • RE: Facebook 'eliminates' spam after coordinated attack

    Soooooo...... one type of spam is eliminated from another type of spam?