A campaign of explicit spam on Facebook this week has been linked to a relatively obscure exploit method known as self-inflicted JavaScript injection and not malicious code running on Facebook’s massive network, an independent analysis has shown.
The campaign, in which violent and pornographic images appeared on the walls of various users on the network, caught the attention of the media this week after users began complaining. Though initial reports suggested the explicit images were spreading automatically between Facebook users, security firm Zscaler said their analysis suggests that is not the case.
In a blog post published yesterday, the researchers argued that the attack required Facebook users to copy and paste JavaScript directly into their browser’s address bar. That script allowed the attackers to modify the user’s Facebook page, posting the offending images and then messaging the user’s Facebook friend network.
Facebook has reportedly scrubbed their network of the majority of the offensive content.
Zscaler claims this sort of exploit technique isn’t new, and that it was widely used in the spate of Facebook attacks that occurred shortly after the death of Osama bin Laden. The method is, however, less frequently used than the standard like/click-jacking scams we’ve all become accustomed to seeing on Facebook,