Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Nasty Facebook picture attack based on “self-XSS” – how does this work?

Facebook has confirmed that a series of pornographic and violent images posted on user walls this week were the result of a self-xss attack. XSS = cross site scripting. Self-XSS means that the malicious script was actually activated by a user and was not part of some hidden webpage code. You may be wondering how this works.

When you have a Facebook session open (i.e.: you’re logged in), Facebook’s servers treat all requests coming from your browser as requests from you. So if somehow your browser were to issue a request for a wall post without your knowledge then Facebook would dutifully display the wall post. In the attacks of this week users were promised “something” in exchange for pasting a line of text into their browser address bars.

(it is still not clear what the “something” was – theories include: A link to a (rather gross) video that “95% of people can’t watch”; A link to a free Starbucks coffee voucher; A pornographic video.)

When users paste the text provided into their browser they are effectively telling their browser to act on their behalf and do whatever the script says – in most cases it will visit an external site (the “cross-site” of “cross-site scripting”) and then be told to post a wall post or an event invite. This perpetuates the attack as friends see the posts and follow them.

In the Osama Bin Laden attacks we described in May, users were tricked into doing this with promises of “Osama death videos”. The screen below shows the sorts of instructions that were effectively used then and also this week. As a result of the May attacks Chrome, Firefox and IE9 were updated to prevent users from being able to use the word “javascript” in the address bar. The Facebook attacks of this week apparently occurred using older versions or other browsers.

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...