Facebook's response to iPhone scam hack just raises more questions

Filed Under: Facebook, Social networks, Spam

Scam iPhone post
Updated Facebook's security team has posted a message on the walls of users who were hit by cybercriminals promoting a free iPhone scam earlier this week.

Although the notice from Facebook reassures customers that their account security was not compromised, the wording of Facebook's note does raise a few question marks about how the scammers managed to post photos onto users' walls without their permission.

Thousands of Facebook users are believed to have been struck in an attack which attempted to lure victims into visiting webpages with the promise of free iPads and iPhones if they completed a survey.

Even one of Mark Zuckerberg's friends had hackers post images to her profile promoting the revenue-generating links, causing the Facebook CEO to ask her if her account had been hacked.

At the time it was assumed that the affected Facebook accounts had been broken into, perhaps as the result of a phishing campaign, but the statement from Facebook's security team appears to rule this out:

Notice from Facebook security

A Note from the Facebook Security Team

For a few hours on Sunday, there was a spamming incident on Facebook. During this time, photos (mostly of supposedly "free" iPhones) were posted to some people's Walls, including yours. We've removed the photo from your Wall and fixed the issue that allowed spammers to do this. We're sorry about the photo, but can assure you that did this did not affect the security of your account in any way.

So, if the attack "did not affect the security" of the Facebook accounts, just how were unauthorised photos and links uploaded to users' walls? Facebook appears to be saying this wasn't the result of hackers stealing passwords, so it can't be that the scammers logged in as these users.

Facebook also says that they've now "fixed the issue that allowed spammers to do this". What was that issue? Was there a vulnerability in Facebook which allowed strangers to post content to other Facebook users' walls?

If so, that would be a serious security issue - and I hope it's now been properly plugged.

If you're on Facebook, and want to learn more about security threats on the social network and elsewhere on the internet, join the Sophos Facebook page.

Update More information has now come to light regarding the bug in Facebook which allowed these hacks to occur. And it turns out that I was right - there was a serious vulnerability that the spammers exploited.

IDG journalist Robert McMillan reports that correct checks were not made as to whether photos could be posted to a user's profile, giving a hole through the spammers could squirm through their messages.

McMillan managed to get a Facebook spokesperson to shed more light on how the spam was being spread:

"Earlier this week, we discovered a bug in the code that processes photos as they're uploaded. This bug caused us not to make the correct checks when determining whether a photo should be posted to a person's profile," Facebook said Friday in an e-mailed statement. "We quickly worked to resolve the issue and fixed it shortly after discovering it. For a short period of time before it was fixed, a single spammer was able to post photos to people's profiles that they hadn't approved."

Spammers are becoming more and more attracted to abusing social networking sites like Facebook to spread their messages - we all need to hope that sites will be quick to close security loopholes like this one when they appear.

, , ,

You might like

2 Responses to Facebook's response to iPhone scam hack just raises more questions

  1. Anette · 1338 days ago

    This article was posted on September 2010. It's now 2011 and yet, spammers and scammers can still post to people's Walls without the knowledge of the Wall owner and the Facebook friend who supposedly posted the spam scam message. I am a victim myself several times over just a few days ago. I informed my friend about it, asked her to clean up her FB account/app settings, and referred her to your website for further help. I was so alarmed as her account kept on posting the spam/scam message on all of her friends' Walls(saw it on my News Feed), I reported each instance I saw to Facebook as Spam. I thought it has stopped the following day, but seeing it hasn't, I deleted my friend from my list. I sent her a message saying why I "un-friended" her temporarily and she could always add me back when she has sorted the problem with her account.

  2. Anetski · 1338 days ago

    I wonder what happened to the reports I sent to Facebook. Seeing the same issue on another friend's account wherein her account posted the same spam scam on most of her friends' Walls (I'm relieved I didnt get one!), I could only surmise Facebook hasnt done anything yet to fix the issue, or they do not review the reports FB users send them.

    What do you think, Graham?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.