Facebook Porn Was 'Self-Inflicted JavaScript Injection'

It even sounds pornographic: A self-inflicted JavaScript injection was the method used to trigger the explosion of not-safe-for-work posts on Facebook earlier this week.

Attacks such as this are the bread and butter of online security firms, and Zscaler ThreatLabZ Senior Security Researcher Mike Geide explainins the technology behind the attack in a blog post today.

Yesterday he’d discussed how Facebook users can avoid becoming victims, and you bet his advice involved Zscaler software. As for today’s post, we recommend reading it only if you’re really interested in the technological nitty-gritty. His main points are:

  • JavaScript can be run directly via browsers’ URL bars, and when web surfers are not running NoScript, it can be used to modify the page being browsed, including the way the browser interacts with buttons and links.
  • In this case, JavaScript was used to automatically interact with Facebook accounts by having users unwittingly like posts, otherwise known as likejacking.
  • Self-inflicted JavaScript injection has also been used in previous Facebook attacks, including, “Hey are you still there,” “You look so stupid in this video,” and various scams related to the death of Osama Bin Laden.

Readers: Have you self-inflicted any JavaScript?

Related Stories
Mediabistro Course

Content Marketing 101

Content Marketing 101Almost 60% of businesses use some form of content marketing. Starting December 8, get hands-on content marketing training in our online boot camp! Through an interactive series of webcasts, content and marketing experts will teach you how to create, distribute, and measure the success of your brand's content. Register now!