Facebook Hit By Malware Attack Through New Java Flaw

No user data lost in Java zero-day attack

Facebook has fallen victim to a phishing attack which loaded malware onto many of its employees’ laptops. The social media giant said no user data has been compromised – but hinted that other sites may have been attacked.

Facebook staff fell victim to a “sophisticated” campaign known as a “watering hole” attack last month, in which malware was planted on a popular mobile developer website, using a new zero-day Java flaw, a statement on the Facebook security page said. The statement, under the anodyne title “Protecting People On Facebook”, assured readers that no user data had been lost.

Facebook’s chief security officer Joe Sullivan gave details and said other sites may have been affected, and it has been suggested the attack may have had the same source as a hit on Twitter which exposed 250,000 passwords.

Facebook - Shutterstock - © Pan Xunbin / Shutterstock.com

How much is Facebook sharing?

“Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack,” the statement said. “This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops.”

The statement later says it tracked the infection to just one laptop, and all its laptops were fully-patched up to date, and the exploit was a new (“zero day”) flaw. which allowed it to bypass the protective Java sandbox and install malware.

The announcement has been criticised as rather late – and its timing just before a long-weekend US holiday for President’s Day, along with a bland headline, suggests Facebook wanted minimal coverage.

However, Facebook says it has done everything right: “As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.”

Facebook also alerted to Oracle to the Java flaw: “they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability,” says Facebook. That patch was presumably included in this patch set.

Sullivan said the attack was uncovered when suspicious domains appeared in Facebook’s DNS request logs, in an interivew with Ars Technica. Facebook was able to track these requests to a specific laptop which had visited the compromised developer site. It then worked with a third party to “sinkhole” the attack, taking over the attackers network traffic.

The New York Times has also suffered an attqack, which were blamed on China, but this appears to have been spear phishing based on emails. Facebook hasn’t made any suggestions where this attack came from.

Are you a Facebook expert? Try our quiz!