Facebook Hit By Malware Attack Through New Java Flaw

Facebook has fallen victim to a phishing attack which loaded malware onto many of its employees’ laptops. The social media giant said no user data has been compromised – but hinted that other sites may have been attacked.

Facebook staff fell victim to a “sophisticated” campaign known as a “watering hole” attack last month, in which malware was planted on a popular mobile developer website, using a new zero-day Java flaw, a statement on the Facebook security page said. The statement, under the anodyne title “Protecting People On Facebook”, assured readers that no user data had been lost.

Facebook’s chief security officer Joe Sullivan gave details and said other sites may have been affected, and it has been suggested the attack may have had the same source as a hit on Twitter which exposed 250,000 passwords.

How much is Facebook sharing?

“Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack,” the statement said. “This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops.”

The statement later says it tracked the infection to just one laptop, and all its laptops were fully-patched up to date, and the exploit was a new (“zero day”) flaw. which allowed it to bypass the protective Java sandbox and install malware.

The announcement has been criticised as rather late – and its timing just before a long-weekend US holiday for President’s Day, along with a bland headline, suggests Facebook wanted minimal coverage.

However, Facebook says it has done everything right: “As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.”

Facebook also alerted to Oracle to the Java flaw: “they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability,” says Facebook. That patch was presumably included in this patch set.

Sullivan said the attack was uncovered when suspicious domains appeared in Facebook’s DNS request logs, in an interivew with Ars Technica. Facebook was able to track these requests to a specific laptop which had visited the compromised developer site. It then worked with a third party to “sinkhole” the attack, taking over the attackers network traffic.

The New York Times has also suffered an attqack, which were blamed on China, but this appears to have been spear phishing based on emails. Facebook hasn’t made any suggestions where this attack came from.

Are you a Facebook expert? Try our quiz!

Peter Judge

Peter Judge has been involved with tech B2B publishing in the UK for many years, working at Ziff-Davis, ZDNet, IDG and Reed. His main interests are networking security, mobility and cloud

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

3 days ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

3 days ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

3 days ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

3 days ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

3 days ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

3 days ago