Self-XSS is a social engineering attack used to gain control of victims' web accounts. In a self-XSS attack, the victim of the attack unknowingly runs malicious code in their own web browser, thus exposing it to the attacker.
Self-XSS operates by tricking users into copying and pasting malicious content into their browsers' web developer console. Usually, the attacker posts a message that says by copying and running certain code, the user will be able to hack another user's account. In fact, the code allows the attacker to hijack the victim's account.
History and mitigation
The "self" part of the name comes from the fact that the user is attacking themself. The "XSS" part of the name comes from the abbreviation for cross-site scripting, because both attacks result in malicious code running on a legitimate site. However, the attacks don't have much else in common, because XSS is an attack against the website itself (which users cannot protect themselves against but can be fixed by the site operator making their site more secure), whereas self-XSS is a social engineering attack against the user (which savvy users can protect themselves against but the site operator cannot do anything about it).
- Scharr, Jill (July 28, 2014). "Facebook Scam Tricks Users Into Hacking Themselves". Tom's Guide US. Purch. Retrieved September 27, 2014.
- "Social Networking Security Threats". Sophos. n.d. Retrieved September 27, 2014.
- "Bug 994134 – Warn first-time users on pasting code into the console". Bugzilla. Mozilla Foundation. April 9, 2014. Retrieved September 28, 2014.
- "Issue 345205: DevTools: Combat self-XSS". Google Code. Google. May 10, 2011. Retrieved September 28, 2014.
- "What do Self-XSS scams look like?". Facebook Help. Facebook. July 11, 2014. Retrieved September 27, 2014.
- "What is Self-XSS?". Facebook Help. Facebook. July 15, 2014. Retrieved September 27, 2014.
- Ilascu, Ionut (July 28, 2014). "Hackers Trick Facebook Users into Self Cross-Site Scripting (XSS) Scam". Softpedia. SoftNews NET SRL. Retrieved September 27, 2014.
- McCaney, Kevin (November 16, 2011). "4 ways to avoid the exploit in Facebook spam attack". GCN. 1105 Public Sector Media Group. Retrieved September 28, 2014.