A spammer has exploited a serious vulnerability in Facebook's photo upload system to spam both Facebook and Twitter with photos promising "free" iPads and iPhones.
The photos, which were posted to peoples' walls by exploiting a flaw in which it was not checked whether a photo could be posted to someone's profile, pretended to be from the profile owner and promoted schemes promising cheap or free gadgets - particularly iPhones and iPads.
Among those affected were a friend of Facebook chief executive Mark Zuckerberg - who responded, says the security company Sophos; Zuckerberg responded to the picture by asking his friend "Is this real or did your account get hacked?"
Robert McMillan for IDG was the first with the detail, which he says let the spammer post "thousands" of messages on peoples' Walls.
People who saw the fake postings appear on their Wall, and knew they hadn't put them there, would assume it was their own account which had been hacked and change their password - but this made no difference, because the flaw is in Facebook's basic photo authentication code.
As the company told McMillan, "Earlier this week, we discovered a bug in the code that processes photos as they're uploaded. This bug caused us not to make the correct checks when determining whether a photo should be posted to a person's profile... We quickly worked to resolve the issue and fixed it shortly after discovering it. For a short period of time before it was fixed, a single spammer was able to post photos to people's profiles that they hadn't approved".
The Guardian
