Facebook 'eliminates' spam after coordinated attack

Facebook has said that the coordinated spam attack on the social network has now been 'eliminated', but says it was a browser flaw, and not its fault.

Facebook has said that is has rid the world's largest social network of most of the pornographic, graphic and violent imagery that was posted as part of a co-ordinated spam attack.

The social networking giant had blamed a vulnerability that enabled a JavaScript link to be executed maliciously in their browser's address bar, which perpetuated the spread of graphic imagery of mutilated animals, pseudo-images of supposed celebrities and gory violence.

Engineers have been working night and day to eliminate "most of the spam" caused by the attack, as the company works to "improve our systems to better defend against similar attacks in the future", a Facebook spokesperson said.

While Facebook said that "no user data or accounts were compromised during the attack", the company said that the attack had now come to a close.

The social network blames a browser flaw that allowed the "self-XSS vulnerability" to go ahead, a spokesperson said, but declined to comment on which browsers had the flaw.

While this kind of linkspam has been seen on Facebook before, columnist Emil Protalinski reports, the social network has not seen this level of attack to date.

ZDNet columnist Violet Blue, who first broke the story, said that users have "avoided the site, and facing down the chore of deactivating accounts to prevent assaulting friends, family and co-workers with unwanted imagery".

Facebook has said that it "knows" who orchestrated the attack, but a BBC source said that it was not the notorious hacktivist group Anonymous.

Some security experts had said that it was difficult for the social networking giant to respond to this threat, partly because the source of the vulnerability was in a browser flaw rather than with Facebook itself.

Sophos security expert Chester Wisniewski warned users to update their browser, and not to directly enter what appears to be non-URL codes into the browsers' address bar.


Show Comments