A rash of clickjacks has led to the spread of violent and pornographic images across Facebook in the last day, causing outrage among users and raising concerns that it is part of an attack by a faction of the hacker group Anonymous.

The attack demonstrates the vulnerability of the service to social engineering attacks that take advantage of Facebook's application framework. It uses a link disguised as a seemingly innocuous news story as bait—made more prominent thanks to the recent changes Facebook made in how it displays users' timelines.

According to a statement from Facebook, the attack used bait links to trick users into launching script that cut and pasted Javascript code into the URL, "causing them to unknowingly share this offensive content. Facebook has taken steps to shut down the malicious websites used in the attack, and said that it has reduced their frequency—but didn't say that the attack was over.

"Our engineers have been working diligently on this self-XSS vulnerability in the browser," Facebook's spokesperson said in the statement. "We’ve built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it. We have also been putting those affected through educational checkpoints so they know how to protect themselves. We’ve put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people."

Some of the images spread by the attack, including images of Justin Beiber edited into sexual situations and photos of animal cruelty, are characteristic of the 4chan site's "b" discussion board where the Anonymous group was born, Sophos senior technology consultant Graham Cluely reported in the Naked Security blog. Previously, messages purportedly from Anonymous had threatened to take down Facebook on Guy Fawkes Day, November 5, in protest over Facebook's weak privacy protections—an attack that failed to materialize on that date. The attack does come, however, on the heels of Facebook reaching an agreement with the Federal Trade Commission to alter its policies to make all future changes to privacy settings "opt in."

No one purporting to be associated with Anonymous has taken credit for the clickjack so far.