Update: Facebook identifies those behind coordinated spam attack

Over the last few days, Facebook users have been experiencing a flood of links, videos, and images depicting pornography, acts of violence, self-mutilation, and bestiality. Facebook confirmed the NSFW problem with me this morning and now, this afternoon, is offering more details. In short, Facebook says it was hit by a coordinated spam attack leveraging a browser vulnerability.

Some members of the social network are complaining about violent and/or pornographic pictures showing up in their News Feeds without their knowledge that they have allegedly Liked. Others are being told by their friends that they are sending requests to click on links to videos, sending out bogus chat messages, or writing mass messages and tagged photos leading people to believe they are in the link. If you are affected by this, please see Facebook virus or account hacked? Here's how to fix it.

We've seen this type of spam on Facebook before, but it's coming in at a much faster pace, as if it was something planned in advance. According to the company, this spam attack all started with users being tricked into pasting and executing malicious JavaScript in their browser's URL bar. I asked the company for details on the browser vulnerability; more specifically, I wanted to know which versions of which browsers were affected.

Palo Alto says it has been shutting down the malicious Pages and accounts that attempt to exploit this flaw and has been giving users guidance on how to protect themselves. Overall, the company claims it has managed to drastically reduce the rate of the attack, but wouldn't elaborate with actual numbers.

"Protecting the people who use Facebook from spam and malicious content is a top priority for us, and we are always working to improve our systems to isolate and remove material that violates our terms," a Facebook spokesperson said in a statement. "Recently, we experienced a coordinated spam attack that exploited a browser vulnerability. Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible."

"During this spam attack users were tricked into pasting and executing malicious JavaScript in their browser URL bar causing them to unknowingly share this offensive content," the spokesperson continued. "Our engineers have been working diligently on this self-XSS vulnerability in the browser. We've built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it. We have also been putting those affected through educational checkpoints so they know how to protect themselves. We've put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people."

Users are unsurprisingly outraged, and as is typical with Facebook members, many are already threatening to close their accounts. I personally have not seen any such Facebook activity on my own profile, and neither have my friends. Still, although the service's users complain about a lot of small things, this is not one of them. That being said, it's still not known how many of the site's 800 million active users are affected.

Some have blamed the hacktivist group Anonymous, which was rumored to be planning to take down the social network on November 5, for this attack. Three months ago, the larger collective group made a point to say it did not support such a takedown operation and in the end it did not take place: the service has remained operational all month.

Facebook is still up and running, but it has been exploited in a coordinated way. There is no proof that Anonymous is behind this flood of inappropriate images and links (normally such an attack would result in confirmation from Anonymous, in some shape or form), but it only takes a few members or ex-members to pull something like this off.

This is a developing story: I will continue updating you as Facebook's investigation progresses.

See also: