A widespread spam attack on Facebook has caused violent and pornographic images to be posted on some users’ profile pages, representing one of the worst security breaches in the young Web site’s history and raising concerns about its vulnerability to hackers.
The company, which acknowledged the problem Monday, said it was working to shut down the accounts responsible for the attack.
The disturbing pictures surfaced as the company tries to quell concerns about user safety and privacy. Facebook is reportedly near a settlement with the Federal Trade Commission over complaints about the way it stores and shares user data. Experts said that while this latest attack didn’t appear to compromise users’ data, it was a serious security breach.
“Protecting the people who use Facebook from spam and malicious content is a top priority for us, and we are always working to improve our systems to isolate and remove material that violates our terms,” Facebook spokesman Andrew Noyes said in a statement. “Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible.”
According to Facebook, users were somehow tricked into copying and pasting malicious code into their browser bars. Hackers then gained access to their profiles and could post whatever they wished, and any of the user’s Facebook friends could see the images.
Chester Wisniewski, a security researcher at Sophos, said similar schemes in the past have lured users in with promises of free or discounted products.
It was unclear Tuesday who was responsible. Groups of hackers have threatened to put out a virus to “take down Facebook” over their concerns with the way it handles user privacy.
Daimon Geopfert, a security expert for RSM McGladrey, said that this was one of the largest Facebook attacks he has seen. The scale and speed were “unprecedented,” he said.
Experts said it was easy to imagine another attack on the Facebook platform that would be more troubling: sending false messages to family and friends to lure them to malicious sites, where they might be tricked into revealing private information. They warned that hackers could use the template of this attack to launch copycat efforts.
The presence of the photos upset many Facebook users, who took to Twitter to say they were weighing whether to deactivate their accounts.
Part of Facebook’s success has stemmed from its ability to get developers to create games and other applications that work seamlessly on the site’s platform. But giving such leeway to outside programmers means the site is also vulnerable to hackers, Wisniewski said.
Facebook could be doing more to stop these kinds of attacks, he said, such as checking the credentials of programmers who register with the site and giving users the option to double-check any actions before they take effect. The company has made an effort to make things seamless, he said, but convenience often comes at the expense of security.
“The technical pieces of this aren’t going to matter,” Geopfert said. “The idea that it happened and that the platform is more risky than you thought is damaging.”
Washington Post Co. chairman and chief executive Donald E. Graham is a member of the Facebook board of directors.