Facebook Porn Was 'Self-Inflicted JavaScript Injection'

It even sounds pornographic: A self-inflicted JavaScript injection was the method used to trigger the explosion of not-safe-for-work posts on Facebook earlier this week.

Attacks such as this are the bread and butter of online security firms, and Zscaler ThreatLabZ Senior Security Researcher Mike Geide explainins the technology behind the attack in a blog post today.

Yesterday he’d discussed how Facebook users can avoid becoming victims, and you bet his advice involved Zscaler software. As for today’s post, we recommend reading it only if you’re really interested in the technological nitty-gritty. His main points are:

  • JavaScript can be run directly via browsers’ URL bars, and when web surfers are not running NoScript, it can be used to modify the page being browsed, including the way the browser interacts with buttons and links.
  • In this case, JavaScript was used to automatically interact with Facebook accounts by having users unwittingly like posts, otherwise known as likejacking.
  • Self-inflicted JavaScript injection has also been used in previous Facebook attacks, including, “Hey are you still there,” “You look so stupid in this video,” and various scams related to the death of Osama Bin Laden.

Readers: Have you self-inflicted any JavaScript?

Related Stories
Mediabistro Course

Blogging: Analytics, SEO, and Content

Blogging: Analytics, SEO, and ContentWork with the former marketing director at Conde Nast Digital to improve your search rankings, integrate social, and increase traffic to your blog! Starting November 5, Jim Hopkinson will teach you how to analyze KPIs, monetize your blog through ads, sponsorships, and affiliates, and leverage your blog toward a larger platform such as publishing, speaking, or consulting. Register now!