14 DAY TRIAL // Spammers are exploiting an undisclosed Facebook vulnerability to force users to automatically post rogue messages on their walls when opening a maliciously crafted app page.
"I thought this survey stuff was GARBAGE but i just went on a shopping spree at walmart thanks to FB = [URL] , this wont last long so gooo!" or "I thought this survey stuff was BULL** but i swear I just used the Best Buy giftcard they sent me here [URL] to buy a laptop!" are two examples of messages the victims are posting.
It seems that simply opening any of the spammed links while logged into Facebook is enough to get compromised and automatically add the rogue application to your profile.
The spammed links vary from message to message in an almost polymorphic way, but they are all of the form http://apps.facebook.com/[name]/.
Under normal circumstances, before being able to post on an user's behalf, applications must request permission, but this doesn't seem to be the case here.
This strongly suggests that a vulnerability, possibly a cross-site scripting (XSS) one, is being exploited to achieve the malicious behavior.
And since all the spam messages are posted via "Mobile Web" it is highly possible that the flaw is located somewhere in the m.facebook.com website.
Furthermore, All Facebook reports that attackers are also leveraging the same vulnerability to directly send spam messages to the friends of their victims.
Given that hundreds of thousands of users are tricked every day by basic scams that instruct them to manually give rogue applications access to their profiles, a self-propagating spam worm like this one has the capability to affect millions.
But Facebook is not the only social networking website to deal with such problems. Just yesterday we reported about a dangerous XSS vulnerability affecting Twitter, that could have easily been exploited to launch a similar attack.