i2 Security Blog

Keeping you upto date on the world of IT Security

i2 Security Blog - Keeping you upto date on the world of IT Security

Facebook promises ‘consequences’ for smut scammers!

Facebook officials have tracked down the scammer’s responsible for filling the social network with images depicting bestiality, self-mutilation and other depravity and is vowing to seek justice.

 

Facebook has blamed the extreme smut on a “self-XSS vulnerability in the browser” that tricked users into pasting and executing malicious javascript in their address bars and caused them to unknowingly share this content. Many victims have reported that the highly offensive content is visible to others but not to the user whose account was used to spread it.

 

According to reports published by PCMag.com and ZDNet, Facebook officials have also figured out who is behind the attack. Both reports cited the same statement from a Facebook PR representative that says:

“In addition to the engineering teams that build tools to block spam we also have a dedicated enforcement team that has already identified those responsible and is working with our legal team to ensure appropriate consequences follow.”

 

Facebook has yet to elaborate on key details of the ongoing attack. It’s still unknown if the cross-site scripting vulnerability is unique to a particular browser and how many of its 800 million users have been affected.

Security firm Zscaler has a primer on self-inflicted JavaScript injection on their website. In the post, researcher Mike Geide said the most common ploy in the ongoing deluge comes from malicious Facebook groups that ask users to join and then enter JavaScript into their URL bar.

 

The scripts contain obfuscated code that generates invite messages to all of a user’s Facebook friends and includes an invisible link which has now been taken down.

MAC Webcams Hijacked via a bug in Flash

It has emerged that a bug in Adobe’s Flash player can allow webcam’s and microphone’s on Apple Mac’s to be hijacked by website owners allowing them to eavesdrop without permission.

All that’s required is to visit a malicious website and to click on a few buttons on that page.  Without warning, the visitor’s camera and microphone will be activated and the video and audio intercepted.  On Wednesday Adobe said they were planning on fixing the vulnerability, which is caused by flaws in the Flash Player Settings Manager.  The panel, which is used to designate which sites may access feeds from a user’s camera and mic, is delivered in the SWF format used by Flash.  A computer science student at Stanford University, Feross Aboukhadijeh, discovered he could embed the SWF file as an invisible iframe and superimpose misleading graphics on top that tricked visitors into making changes to the underlying privacy settings.

Settings Manager is actually hosted on Adobe’s servers and therefore a fix should be able to be implemented without having to release an update to users machines.  A spokesperson for Adobe has said an update should be in place by he end of he week.

The Stanford student said so far only Mac’s running Safari or Firefox were vulnerable, however he indicated that further research may lead to this attack becoming more universal.

Facebook adds Websense Phishing Filters

Facebook has announced it is stepping up its efforts to help users of the site protect themselves from malicious or phishing links posted within their site.
Phishing links often lead to username and password theft.

As of next week users will be warned if they are about to be taken to a malicious website when following a link, this has been possible by partnering with security firm Websense.  The current setup already alerts users if they are about to visit another website but there is no distinction as to whether that is a friendly or malicious website.

The new technology will show a warning screen whenever the system thinks there is a risk, from this screen users can return to the Facebook page or continue on to the linked website, at their own risk.

The protection will be powered by Websense’s “Threatseeker Cloud”, a system which stores a database of known malicious URLs.