Facebook Attack Appears 'Purely Malicious,' Expert Says

The Monday incident raised concerns that the attack could be escalated to something more serious. The attack was unusual, because there didn't appear to be any financial gain for the attacker, Chester Wisniewski, a security expert at vendor Sophos, said Wednesday.

"This seems to be a purely malicious act," he said in the company's blog.

Facebook acknowledged the attack, saying in a statement that it would continue to improve its systems to remove content in violation of the company's terms of use. "Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible," the company said in a statement sent to The Washington Post.

The spam apparently got on the site through Facebook members tricked into copying and pasting malicious JavaScript code into the address/location bar in their Web browser. Once the browser runs the code, the attacker can control the Web page being visited.

Such attacks are called "self-XSS," or cross-site scripting. Most of the time, victims are lured into the scam with the promise of a giveaway or sweepstakes prize by pasting the code in the browser. The vulnerability that made the scam possible is in the browser, not Facebook's web site. The name of the browser that contained the flaw was not known.

Meanwhile, Facebook is in negotiations with the Federal Trade Commission on privacy related to policy changes that were made in 2009. Users and privacy advocates filed a complaint with the FTC, claiming the changes were deceptive. Facebook is close to reaching a settlement that would subject the site to an independent privacy audit for 20 years, The Wall Street Journal reported.