Facebook Porn Was 'Self-Inflicted JavaScript Injection'

It even sounds pornographic: A self-inflicted JavaScript injection was the method used to trigger the explosion of not-safe-for-work posts on Facebook earlier this week.

Attacks such as this are the bread and butter of online security firms, and Zscaler ThreatLabZ Senior Security Researcher Mike Geide explainins the technology behind the attack in a blog post today.

Yesterday he’d discussed how Facebook users can avoid becoming victims, and you bet his advice involved Zscaler software. As for today’s post, we recommend reading it only if you’re really interested in the technological nitty-gritty. His main points are:

  • JavaScript can be run directly via browsers’ URL bars, and when web surfers are not running NoScript, it can be used to modify the page being browsed, including the way the browser interacts with buttons and links.
  • In this case, JavaScript was used to automatically interact with Facebook accounts by having users unwittingly like posts, otherwise known as likejacking.
  • Self-inflicted JavaScript injection has also been used in previous Facebook attacks, including, “Hey are you still there,” “You look so stupid in this video,” and various scams related to the death of Osama Bin Laden.

Readers: Have you self-inflicted any JavaScript?

Related Stories
Mediabistro Course

Facebook Marketing

Facebook MarketingStarting Janaury 13, work with the group marketing manager of social media at Microsoft/BingAds to build a fan base and grow your business on Facebook! In this course, Geoffrey Colon will teach you how to set up and enhance your company page, understand best practices and measuring your success, execute a monthly content strategy, and incorporate Facebook into your overall marketing efforts. Register now!