Facebook’s response to iPhone scam hack just raises more questions

Scam iPhone post
Updated Facebook’s security team has posted a message on the walls of users who were hit by cybercriminals promoting a free iPhone scam earlier this week.

Although the notice from Facebook reassures customers that their account security was not compromised, the wording of Facebook’s note does raise a few question marks about how the scammers managed to post photos onto users’ walls without their permission.

Thousands of Facebook users are believed to have been struck in an attack which attempted to lure victims into visiting webpages with the promise of free iPads and iPhones if they completed a survey.

Even one of Mark Zuckerberg’s friends had hackers post images to her profile promoting the revenue-generating links, causing the Facebook CEO to ask her if her account had been hacked.

At the time it was assumed that the affected Facebook accounts had been broken into, perhaps as the result of a phishing campaign, but the statement from Facebook’s security team appears to rule this out:

Notice from Facebook security

A Note from the Facebook Security Team

For a few hours on Sunday, there was a spamming incident on Facebook. During this time, photos (mostly of supposedly "free" iPhones) were posted to some people's Walls, including yours. We've removed the photo from your Wall and fixed the issue that allowed spammers to do this. We're sorry about the photo, but can assure you that did this did not affect the security of your account in any way.

So, if the attack “did not affect the security” of the Facebook accounts, just how were unauthorised photos and links uploaded to users’ walls? Facebook appears to be saying this wasn’t the result of hackers stealing passwords, so it can’t be that the scammers logged in as these users.

Facebook also says that they’ve now “fixed the issue that allowed spammers to do this”. What was that issue? Was there a vulnerability in Facebook which allowed strangers to post content to other Facebook users’ walls?

If so, that would be a serious security issue – and I hope it’s now been properly plugged.

If you’re on Facebook, and want to learn more about security threats on the social network and elsewhere on the internet, join the Sophos Facebook page.

Update More information has now come to light regarding the bug in Facebook which allowed these hacks to occur. And it turns out that I was right – there was a serious vulnerability that the spammers exploited.

IDG journalist Robert McMillan reports that correct checks were not made as to whether photos could be posted to a user’s profile, giving a hole through the spammers could squirm through their messages.

McMillan managed to get a Facebook spokesperson to shed more light on how the spam was being spread:

"Earlier this week, we discovered a bug in the code that processes photos as they're uploaded. This bug caused us not to make the correct checks when determining whether a photo should be posted to a person's profile," Facebook said Friday in an e-mailed statement. "We quickly worked to resolve the issue and fixed it shortly after discovering it. For a short period of time before it was fixed, a single spammer was able to post photos to people's profiles that they hadn't approved."

Spammers are becoming more and more attracted to abusing social networking sites like Facebook to spread their messages – we all need to hope that sites will be quick to close security loopholes like this one when they appear.