Facebook has confirmed that a series of pornographic and violent images posted on user walls this week were the result of a self-xss attack. XSS = cross site scripting. Self-XSS means that the malicious script was actually activated by a user and was not part of some hidden webpage code. You may be wondering how this works.
When you have a Facebook session open (i.e.: you’re logged in), Facebook’s servers treat all requests coming from your browser as requests from you. So if somehow your browser were to issue a request for a wall post without your knowledge then Facebook would dutifully display the wall post. In the attacks of this week users were promised “something” in exchange for pasting a line of text into their browser address bars.
(it is still not clear what the “something” was – theories include: A link to a (rather gross) video that “95% of people can’t watch”; A link to a free Starbucks coffee voucher; A pornographic video.)
When users paste the text provided into their browser they are effectively telling their browser to act on their behalf and do whatever the script says – in most cases it will visit an external site (the “cross-site” of “cross-site scripting”) and then be told to post a wall post or an event invite. This perpetuates the attack as friends see the posts and follow them.