Security Techniques

Self-XSS attack explained

Self-XSS attack explained: I’ve seen a lot of people talking about recent social-engineering attacks on Facebook, but no one has really outlined the mechanics behind them. So hopefully this video provides some light on the issue – I work on the team at Facebook that combats these attacks.

This video covers both share-baiting (a pure social-engineering attack) and self-XSS (a combination of social engineering and a browser vulnerability). These aren’t viruses or any compromise of Facebook, but just ways to trick users into doing dangerous things.

It’s worth noting that the browser vulnerability here is the result of having a feature intended for developers on by default for normal users. There are legitimate use cases for this feature, but they are only logical for a very small subset of users and when enabled for everyone, present the security problems outlined in this video.