Nasty Facebook picture attack based on “self-XSS” – how does this work?

Facebook has confirmed that a series of pornographic and violent images posted on user walls this week were the result of a self-xss attack. XSS = cross site scripting. Self-XSS means that the malicious script was actually activated by a user and was not part of some hidden webpage code. You may be wondering how this works.

When you have a Facebook session open (i.e.: you’re logged in), Facebook’s servers treat all requests coming from your browser as requests from you. So if somehow your browser were to issue a request for a wall post without your knowledge then Facebook would dutifully display the wall post. In the attacks of this week users were promised “something” in exchange for pasting a line of text into their browser address bars.

(it is still not clear what the “something” was – theories include: A link to a (rather gross) video that “95% of people can’t watch”; A link to a free Starbucks coffee voucher; A pornographic video.) 

When users paste the text provided into their browser they are effectively telling their browser to act on their behalf and do whatever the script says – in most cases it will visit an external site (the “cross-site” of “cross-site scripting”) and then be told to post a wall post or an event invite. This perpetuates the attack as friends see the posts and follow them.

In the Osama Bin Laden attacks we described in May, users were tricked into doing this with promises of “Osama death videos”. The screen below shows the sorts of instructions that were effectively used then and also this week. As a result of the May attacks Chrome, Firefox and IE9 were updated to prevent users from being able to use the word “javascript” in the address bar. The Facebook attacks of this week apparently occurred using older versions or other browsers.