Facebook blames users for porn spam deluge

Social networking behemoth Facebook has distanced itself from claims that ne'er-do-wells have penetrated its network and started posting obscene material to innocents' profiles, claiming that a browser vulnerability - and users' own stupidity - is to blame.

Increasing numbers of Facebook users - which is to say, a large chunk of the web as a whole - have noticed obscene material of the type beloved by the scamps on 4Chan making its way to their profiles without their consent.

The torrent of filth has caused many users to close their accounts in order to avoid the stigma of being seen to be sharing such horror with their friends, family, coworkers - and several hundred strangers who responded to a poorly-worded 'friend' request.

While initial indications suggested that Facebook users had fallen victim to a 'linkspam' viral which used 'click-jacking' to take over an account when a users clicked on a malicious link in a message, Facebook claims that's not the case. Instead, it's blaming the attack on a browser bug outside of its control, combined with the bad habits of the affected users.

"Recently, we experienced a coordinated spam attack that exploited a browser vulnerability," the company's statement on the matter reads. "Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible.

"During this spam attack users were tricked into pasting and executing malicious Javascript [sic] in their browser URL bar causing them to unknowingly share this offensive content. Our engineers have been working diligently on this self-XSS vulnerability in the browser. We've built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it.

"We have also been putting those affected through educational checkpoints so they know how to protect themselves," the company adds. "We've put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defences to find new ways to protect people."

The self-XSS - self-Cross Site Scripting - attacks rely, Facebook claims, on the user pasting a string of JavaScript code into the browser's address bar, causing the browser to execute the code locally - something Facebook cannot prevent.

However, the company's claims of innocence are harder to swallow when taken with an announcement made on the 12th of May in which it claimed to have added self-XSS protection to the site in order to prevent exactly this kind of attack.

"We have been working hard to improve our systems that detect and block these types of attacks, as well as to educate people on what is causing their accounts to send spam," Facebook claimed at the time. "Now, when our systems detect that someone has pasted malicious code into the address bar, we will show a challenge to confirm that the person meant to do this as well as provide information on why it’s a bad idea."

Clearly, that system is far from the panacea Facebook originally claimed.