According to reports published by PCMag.com and ZDNet, Facebook officials have also figured out who is behind the attack. Both reports cited the same statement from a Facebook PR representative that says:
“In addition to the engineering teams that build tools to block spam we also have a dedicated enforcement team that has already identified those responsible and is working with our legal team to ensure appropriate consequences follow.”
Facebook has yet to elaborate on key details of the ongoing attack. It’s still unknown if the cross-site scripting vulnerability is unique to a particular browser and how many of its 800 million users have been affected.
The scripts contain obfuscated code that generates invite messages to all of a user’s Facebook friends and includes an invisible link which has now been taken down.