14 DAY TRIAL // Pranksters have managed to replace popular Facebook system messages in Turkish with offensive language yesterday. The attack leveraged the power of crowdsourcing to vote the automatic approval of rogue changes.
Facebook provides an application called “Translations” for people to translate the thousands of system messages and alerts into their native language. Through a submission voting system the app also allows the community to improve on the existent translations.
Unfortunately, a group of Turkish pranksters realized that if they could get enough votes to back up a proposed translation, the change would be accepted automatically. Therefore, they asked all members of a forum to help poison popular Facebook messages in Turkish with offensive terms for fun.
"The word 'Like' for example was substituted for another word that rhymes with Luck but begins with an F," Rik Ferguson, a senior security advisor at Trend Micro, who tracked the attack as it was happening, reports. Clearly this change affected a lot of people, including children, since the the "Like" feature is an extremely popular one. Another frequently-encountered system message reading "Your message could not be sent because the user is offline" was modified to include insulting references to the male anatomical parts.
The vote flooding and translation poisoning went on for a while, until Facebook staff caught on to it and reverted all rogue changes. The translation application was also disabled temporarily for multiple languages. It's not yet clear if this decision was prompted by similar attacks performed by other groups who wanted to imitate the Turkish pranksters.
"Perhaps there were possibilities here for criminals to take advantage of by substituting obfuscated URLs for the popular words. Perhaps it is fortunate that the hole has been exposed through a prank in the first instance and not something more nefarious. Any online service, whether it’s transaltion or reputation services, which solicits user generated content would be well advised to quality check that content before going live with it," Rik Ferguson, writes.
You can follow the editor on Twitter @lconstantin