Incident: Facebook Bug Allows Malware Spread Leading to Nicole Santos Hoax

Published Date: 2011-05-12

Postmortem Analysis
Timeline 1. The software failure incident of the Facebook bug that allowed malware to take over accounts and spread, leading to the "Nicole Santos" hoax, happened in May 2011 as per the article [5689]. Therefore, the timeline of the software failure incident is estimated to be May 2011.
System 1. Facebook's code vulnerability that allowed the posting of malicious code in comments, specifically the bug that improperly allowed javascript: URLs [5689].
Responsible Organization 1. The software failure incident on Facebook, allowing malware to take over accounts and spread, was caused by a bug in Facebook's code that allowed a specific category of URLs (javascript: URLs) to be improperly treated and spread as malicious code [Article 5689].
Impacted Organization 1. Facebook users were impacted by the software failure incident as their accounts were compromised and used to spread malware [5689].
Software Causes 1. The software cause of the failure incident was a bug in Facebook's code that allowed malware to take over accounts and spread overnight [5689]. 2. The bug improperly allowed a specific category of URLs (javascript: URLs) to be posted as comments, which enabled the spread of malicious code [5689].
Non-software Causes 1. The hoax incident was caused by individuals exploiting a vulnerability in Facebook's code that allowed them to post malicious code in comments, which were treated as URLs and allowed to spread [Article 5689].
Impacts 1. The software failure incident led to the spread of malware on Facebook accounts, causing users' walls to be littered with profanity-laden posts urging people to "vote for Nicole Santos" [5689]. 2. Users were tricked into clicking on a "remove this app" link below the malicious posts, which allowed the malware to access their Facebook accounts and spread the hoax to their friends' pages [5689]. 3. The vulnerability in Facebook's code allowed a specific category of URLs (javascript: URLs) to be improperly treated, enabling the spread of the malicious code [5689]. 4. The incident resulted in a viral sensation around the "Nicole Santos" hoax, with the topic trending on Twitter, the creation of anti-Nicole Santos Facebook pages, and the sale of merchandise related to the hoax [5689].
Preventions 1. Implementing proper input validation and sanitization techniques to prevent the execution of malicious code injected through comments or posts [5689]. 2. Conducting regular security audits and penetration testing to identify and address vulnerabilities in the codebase [5689]. 3. Enforcing stricter controls on the types of URLs or scripts that can be posted on the platform to prevent the spread of malware [5689]. 4. Educating users about the risks of clicking on suspicious links and providing clear guidelines on how to identify and report potential security threats [5689].
Fixes 1. Facebook fixed the bug that allowed malware to take over accounts and spread by resolving the vulnerability in their code that allowed the malicious code to be posted in comments [Article 5689].
References 1. Facebook statement 2. The Next Web 3. Twitter trends 4. Etsy 5. Comedian who created a rap music video

Software Taxonomy of Faults

Category Option Rationale
Recurring unknown (a) The software failure incident related to the Facebook hack involving the Nicole Santos hoax was specific to Facebook. There is no mention in the article of a similar incident happening again within the same organization (Facebook) or with its products and services. Therefore, there is no evidence to suggest that this particular software failure incident has happened again at Facebook. (b) The article does not provide information about a similar incident happening at other organizations or with their products and services. Hence, there is no indication in the article of this software failure incident occurring again at multiple organizations.
Phase (Design/Operation) design, operation (a) The software failure incident in the article was primarily due to a bug in Facebook's code that allowed malware to take over accounts and spread overnight. This bug was a vulnerability in the code that improperly allowed a specific category of URLs (javascript: URLs) to be posted as comments and spread as malicious code. Facebook acknowledged the issue and mentioned that the bug caused a small number of spam comments to be posted on users' walls, leading to the spread of the malware [Article 5689]. (b) The operation aspect of the software failure incident can be attributed to users clicking on the malicious links that were part of the hoax posts. By clicking on these links, users inadvertently allowed the malware to access their Facebook accounts and post the hoax to their friends' pages. The article advises users not to click on any suspicious links, especially those asking to 'Verify your account to prevent spam,' as this could be a way for the hack to gain access to their Facebook walls. It also suggests blocking friends who send such links as their accounts might be compromised [Article 5689].
Boundary (Internal/External) within_system From the provided article [5689], the software failure incident involving the Facebook hack can be categorized as a within_system failure. The incident was caused by a bug in Facebook's code that allowed for the spread of malware through comments on users' walls. The vulnerability within Facebook's code enabled the malicious code to be posted and treated as URLs, leading to the spread of the hoax. Facebook acknowledged the bug in their code and mentioned that the spam was spread due to a vulnerability in their system. This indicates that the contributing factors leading to the software failure originated from within the Facebook system.
Nature (Human/Non-human) non-human_actions (a) The software failure incident in this case was primarily due to non-human actions, specifically a bug in Facebook's code that allowed malware to take over accounts and spread overnight. Facebook acknowledged that the spam was spread by a vulnerability in their code, which allowed a specific category of URLs (javascript: URLs) to be improperly posted and spread as comments on users' walls [Article 5689].
Dimension (Hardware/Software) software (a) The software failure incident in the article was not attributed to hardware issues but rather to a bug in Facebook's code that allowed malware to take over accounts and spread overnight [5689]. The vulnerability in the code specifically allowed people to post malicious code in comments, which were treated as URLs and allowed to spread, ultimately leading to the hoax and spam posts on users' walls. (b) The software failure incident was primarily caused by a bug in Facebook's code that allowed the spread of malware and the hoax related to Nicole Santos [5689]. The bug improperly allowed a specific category of URLs (javascript: URLs) to be posted as comments, which then led to the malicious code accessing users' accounts and spreading the hoax on their friends' pages.
Objective (Malicious/Non-malicious) malicious (a) The software failure incident described in Article 5689 is malicious in nature. It involved a bug that allowed malware to take over Facebook accounts and spread overnight. The hoax related to "Nicole Santos" was a viral sensation where malicious code was posted in comments, and when users clicked on links to remove the posts, the malware gained access to their accounts and spread further. The incident was caused by a vulnerability in Facebook's code that allowed specific category of URLs (javascript: URLs) to be treated improperly, leading to the spread of the malicious code [5689].
Intent (Poor/Accidental Decisions) poor_decisions, accidental_decisions From the provided article [5689], the software failure incident involving the Facebook hack can be attributed to both poor decisions and accidental decisions: (a) poor_decisions: The incident involved a bug in Facebook's code that allowed malware to take over accounts and spread, indicating a vulnerability in the code that was exploited by malicious actors. This vulnerability was a result of a poor decision in the code implementation that allowed a specific category of URLs (javascript: URLs) to be improperly processed, leading to the spread of the malware. (b) accidental_decisions: The spread of the hoax and malware was not intentional on Facebook's part but rather a consequence of a bug in the code that was quickly addressed. The incident was described as a spam spread by a vulnerability in the code, indicating that the unintended consequence of this vulnerability was the propagation of the hoax and malware across users' accounts. In summary, the software failure incident involving the Facebook hack can be seen as a combination of poor decisions in the code implementation that introduced a vulnerability and accidental decisions that led to the unintended spread of malware due to this vulnerability.
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident in Article 5689 was primarily due to development incompetence. Facebook acknowledged that a bug in their code allowed malware to take over accounts and spread overnight, leading to the "Nicole Santos" hoax becoming a viral sensation. The bug improperly allowed a specific category of URLs (javascript: URLs) to be posted as comments, which then spread as users clicked on them. This vulnerability in the code was a result of a lack of professional competence in ensuring proper input validation and security measures during the development process [5689]. (b) Additionally, the incident can also be attributed to accidental factors. The bug that allowed the malware to spread was not intentional but rather a result of a mistake or oversight during the development process. Facebook mentioned that the spam was spread by a vulnerability in their code, indicating that the issue was not deliberately introduced but was accidental in nature [5689].
Duration temporary From the provided article [5689], the software failure incident related to the Facebook hack was temporary. Facebook acknowledged a bug that allowed malware to take over accounts and spread overnight. The company worked quickly to resolve the matter by fixing the vulnerability in their code that allowed the malicious code to spread. They mentioned that the bug caused a small number of spam comments to be posted to users' walls, and they were in the process of cleaning up any spam it may have caused. This indicates that the incident was temporary and not a permanent failure.
Behaviour value, other (a) crash: The software failure incident in the article does not involve a crash where the system loses state and does not perform any of its intended functions. [5689] (b) omission: The software failure incident in the article does not involve omission where the system omits to perform its intended functions at an instance(s). [5689] (c) timing: The software failure incident in the article does not involve timing issues where the system performs its intended functions correctly but too late or too early. [5689] (d) value: The software failure incident in the article involves a failure due to the system performing its intended functions incorrectly. The bug allowed malware to take over accounts and spread, leading to spam comments being posted on users' walls. [5689] (e) byzantine: The software failure incident in the article does not involve a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. [5689] (f) other: The software failure incident in the article involves a failure related to a vulnerability that allowed people to post malicious code in comments, which were treated as URLs and allowed to spread. This behavior is not explicitly described in options (a) to (e). [5689]

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence (a) death: There is no mention of any deaths resulting from the software failure incident in the provided article [5689]. (b) harm: The article does not mention any physical harm caused to individuals due to the software failure incident [5689]. (c) basic: There is no indication that people's access to food or shelter was impacted by the software failure incident described in the article [5689]. (d) property: The software failure incident did impact people's data and accounts on Facebook as malware spread through the platform, causing spam comments to be posted on users' walls [5689]. (e) delay: The incident did not result in any activities being postponed due to the software failure [5689]. (f) non-human: The software failure incident primarily affected users' accounts and data on Facebook, which are considered non-human entities in this context [5689]. (g) no_consequence: The article does not mention that there were no real observed consequences of the software failure incident [5689]. (h) theoretical_consequence: The article discusses potential consequences of the software failure incident, such as the spread of malware through malicious code posted in comments on Facebook [5689]. (i) other: The article does not mention any other specific consequences of the software failure incident beyond the impact on users' accounts and the spread of malware [5689].
Domain information (a) The software failure incident reported in the article is related to the information industry. The incident involved a bug on Facebook that allowed malware to take over accounts and spread malicious code through comments and posts on users' walls [5689].

Sources

Back to List