A group of developers have found a loophole in Facebook’s application Platform which enables them to automatically post messages to a user’s wall. This loophole doesn’t require any action by the user, it simply posts to the user’s wall the moment they load the application. Right now the messages being spread state “I thought this survey stuff was GARBAGE but i just went on a shopping spree at walmart thanks to FB”. This is a scam, do not click on any of the applications!
This happens to be one of the fastest spreading scams we’ve seen on Facebook to date, and also one of the largest security glitches in the Facebook Platform. While we’re not aware of any viruses that result from the system, it appears to be the standard offers system which is driving this scam. In other words, once users enter their email, they are prompted to complete an offer. There’s also a risk of having your phone number charged by entering it on the form, however we haven’t confirmed that yet.
The clear message is this: do not click on any of the links if your friends post it. It will immediately post to your wall. This is fairly widespread as there are numerous applications that are spreading the scam. There appears to be thousands of applications that have been used as part of this scam, which will make it much more time consuming for Facebook to shut down the scammers.
We will update this post as we get more information. Right now there are countless applications that are being used. It would take us too long to list every application, however you can see all the people being impacted here. As we mentioned before: do not click any of the links in these messages. Also, be sure to share this with your friends so they don’t fall for the scam as well!
Update
The spammers have also figured out a way to automatically message your friends (as seen in the image below).
![[Inside Social Apps 2012]](http://www.allfacebook.com/wordpress/wp-content/themes/allfacebook2/images/ISA2012_336x100_F_RegisterNow.gif)
![[AllFacebook Stats: Facebook Analytics for Your Business]](http://www.allfacebook.com/wordpress/wp-content/themes/allfacebook2/images/stpro_allfacebookstats.gif)
![[How can Facebook change your business?]](http://www.allfacebook.com/wordpress/wp-content/themes/allfacebook2/images/FMB_A_MAY2011_336x100_F.gif)
I received that very message this morning in FB when I logged in (the one showing in the personal message, not the post). I didn't open the link and just deleted it. I think everyone else should do the same.
Comment by Beryle Manz — September 6, 2010 @ 6:51 pm
This isn't really "they figured out a loophole". 90% of developers know about this and exactly how to create it, we also know that our apps get shutdown if we do use this "loophole". Point is: it's not "new"
Comment by Mitchell — September 6, 2010 @ 11:49 pm
I swear, every week there's a new one of those. Most are for weight loss or iPhone scams though. I get messages like that constantly. This isn't the first or the last, because facebook really doesn't seem to care.
Comment by Nothing — September 7, 2010 @ 1:11 am
You are wrong, users need to authorize app and allow it to post to their walls, it's not a loophole, just facebook apps standard feature.
Comment by John — September 7, 2010 @ 6:42 am
Hi all –
I work at Facebook and wanted to give some more background on the above mentioned problem.
Earlier this week, we discovered a bug that made it possible for an application to bypass our normal CSRF protections through a complicated series of steps. We quickly worked to resolve the issue and fixed it within hours of discovering it. For a short period of time before it was fixed, several applications that violated our policies were able to post content to people's profiles if those people first clicked on a link to the application. We disabled the applications before they could spread very far and removed the posts. We're advising people to be wary of posts and messages with suspicious-looking links, even if they come from friends, and to report applications that might violate our policies. These tips and others can be found on the Facebook Security Page: http://www.facebook.com/security.
Comment by Fred Wolens — September 7, 2010 @ 9:53 am
The image just below "Update" is almost exactly what I got by email & on Facebook. Now the damned thing is replicating itself to everyone on my friends list. As for "loophole",John you're wrong. These things have links. I got mine from my grandson and thought it was legitimate. So I click on the link wondering what he wants me to see and . . . BAM! Glad Facebook disabled it.
Comment by Bill — September 7, 2010 @ 6:00 pm
what you morons fail to see, it'd the Facebook people that re causing this. Thank God, I delete all mail Feb and Aug.
Comment by LoganByrne — September 7, 2010 @ 10:12 pm
I cannot log in, every time I try to, it throws me a page Saying: This is a security measure to help ensure that FB remains a community of people using their real identities to connect and share. It is asking me for a mobile number with this explanation as to why they want it: If you ever lose your password, you'll also be able to use your mobile # to access your account. To access your FB account, just follow the on-site instructions to add your mobile phone #. If you are having issues or are unable to complete the confirmation process you can report the problem here. /help/?faq=18257.It also says FB will text you and authorization code in which to log in with. Is This a bug or is it really FB trying to protect me? I also found on Yahoo where several people were having this same issue and one stated that FB posted they were doing maintenance, that comment was over 8 hours ago. Please let me know, I'm exaulsted from trying to find something out about this roadblock showing up on address. Please Help. Thank-you.
Comment by Marie — September 8, 2010 @ 9:01 am
Simple, Think before you click!
Comment by richen — September 8, 2010 @ 10:42 am
TEST
http://tinyurl.com/Faceb00k-JiriSram
Comment by Jiri Sram — September 8, 2010 @ 2:23 pm
I think it is just FB's scam to get more info they can eventually sell or use for their own purposes. If nothing else they'll know what area you are in and be able to target more advertising at you. I'm having the same problem myself, and have been for 3-4 days. I am not willing to give in to FB's demands (especially when they do it under the guise of "for the consumer's benefit"). I for one am quite willing to live without FB if necessary.
Comment by Guest User — September 12, 2010 @ 5:00 am
[...] While this is not a platform exploit that reveals a bug with the Facebook Platform, like the recent survey worm, it’s another like-jacking scam, something that has become increasingly prevalent over the [...]
Pingback by ALERT: Massive Free iPhone Like-Jacking Worm Spreading On Facebook — October 5, 2010 @ 12:31 pm
[...] worrying is that our friends at All Facebook report that the worm can automatically post to your wall and message your friends – helping it to spread [...]
Pingback by Survey stuff worm spreads across Facebook | Naked Security — December 19, 2010 @ 10:07 am
just remember to put in your cell phone number to recieve exclusive prizes i did and got a hd tv
Comment by sally raigner — April 18, 2011 @ 10:03 am
knew your protection was crap…..now i know and will refrain from using…….untill was warned!!!!!!
Comment by derrick, — June 7, 2011 @ 11:59 pm
It's dangerous, Facebook has hundreds of millions of users, if the hacker can access these accounts will harm the world's Internet
Comment by Papa Johns Coupons — September 8, 2011 @ 1:14 pm
An analysis of posts by hour on Saturday alone would be needed to confirm that.
Comment by oil expellers — October 20, 2011 @ 10:28 pm
think think before do click
iPod | iPhone | iPad
Gadget | Telephone Mobile
Comment by gadget | technology — November 16, 2011 @ 7:32 pm
hey i m unable to login on my fb a/c..whnever i open the page a page loads up stating to go through the survey as to veryfy the age..i could'nt log in since the last 1 week…sumone plz help me in solving this…
Comment by sanjay jain — January 15, 2012 @ 1:38 am
I'm so tired of this worms and virus <a target="_blank" href="http://www.dietafacil.sitew.com/">regimen…Now in facebook too?
Comment by dieta — January 23, 2012 @ 9:44 am