Facebook said it has rid its site of most of the pornographic and violent images posted as part of a spam attack.
The social network blamed a browser vulnerability and said it was improving its systems to defend itself against similar attacks in the future.
Thousands of the website’s 800 million users have complained about the pictures over recent days.
A source told the BBC that Facebook knew who was responsible – and it was not an Anonymous hacktivist.
The firm is understood to be working with its legal department to take action against the suspected attacker.
Browser exploit
Facebook said the spam attack worked via a “self-XSS vulnerability in the browser”.
It added: “During this attack, users were tricked into pasting and executing malicious javascript in their browser URL bar causing them to unknowingly share this offensive content.
“No user data or accounts were compromised during this attack.”
The firm said its engineers had built enforcement mechanisms to shut down malicious pages and accounts that attempt to exploit the vulnerability.
It also offered the following advice to help guard against further attacks:
- Never copy and paste unknown code into the address bar
- Always use an up-to-date browser
- Use the report links on Facebook to flag suspicious behaviour or content on friends’ accounts
Strange
Facebook allows children above the age of 13 to be members, and polices a ban against inappropriate images.
However, security experts said it was difficult for the firm to respond to this threat, bearing in mind it exploited a vulnerability in an unnamed web browser rather than the site itself.
They also said that the attack was very unusual because most other scams on the social network are designed to deliver a financial payout.
“This seems to be a purely malicious act. Facebook has a reputation for maintaining a reasonably family-friendly environment,” wrote Chester Wisniewski, a senior security advisor at Sophos, on his company’s blog.
“Hopefully whichever browser it is that has the flaw will provide a fix ASAP, but as we know most people are slow to apply updates regardless of which browser they use (except Chrome).”
“The flaw being exploited could likely be used against other sites as well if users can be tricked into pasting malicious javascript into the browser.”