Facebook users on Tuesday were assaulted by a wave of pornographic and violent images, pushed into their accounts as content supposedly liked or recommended by their friends.
The images included doctored photos of pop singer Justin Bieber and other celebrities in demeaning poses. Other images depicted extreme violence and abused animals.
Facebook members complained and described the images in Twitter posts all morning. By midafternoon Eastern time, Facebook indicated it had the attack under control.
"We experienced a coordinated spam attack that exploited a browser vulnerability," says Facebook spokesman Andrew Noyes. "Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible."
Such attacks use Facebook systems to rapidly push malicious content all across the social network, says Mike Geide, senior researcher at security firm Zscaler. Similar trickery occurred when Osama bin Laden was killed: Hackers distributed messages to Facebook members luring them to cut and paste coding into their browser address bar to see a video of bin Laden's body.
The bad guys in that case tapped into Facebook's systems to push spam advertisements virally to the victims' friends and friends of friends. The spammers got paid every time someone clicked on the ad.
Clever criminals can push whatever content they desire through Facebook's automated sharing system. Often attackers virally share corrupted Web links; people who click on such a link give control of their PC to the attacker, Geide says.
"In this case there doesn't seem to be any motive other than to embarrass Facebook," says Chet Wisniewski, senior researcher at anti-virus firm Sophos.
Speculation circulated that the hackers associated with the renowned hacktivist group Anonymous were behind Tuesday's Facebook attack.
In August, Anonymous issued a decree that a major Facebook hack — dubbed the "Fawkes" virus in honor of the anti-hero Guy Fawkes from the movie V for Vendetta —would come in November. Anonymous posted a video last week repeating the threat.