A customer of Sendible, an online marketing service for promoting and tracking brands through the use of social media, e-mail and SMS messaging, has inadvertently discovered a flaw in Facebook API.
Using Sendible’s Facebook application, he tried to post messages on a few Facebook walls – as a fan – but apparently the flaw made them be posted as status messages from the owner of the pages.
Before the flaw could be patched, it was apparently discovered also by some users that decided to use it to propagate a malicious link that would supposedly allow the victims to change their Facebook background. This message appeared on a number of Facebook pages of brands and companies like Coca-Cola, Google, YouTube, South Park, The Daily Show and others.
“A few people who did click on the link reported that it took you to a page outside of Facebook that asks you for some information about you,” reports TechCrunch. “The bottom of the page reads ‘Powered By AWeber Email Marketing’.”
It seems that the malicious link in question has been taken down, but people have been reporting that other links were propagated with the help of the flaw.
Sendible claims that its application wasn’t hacked. “This is a flaw in Facebook’s API and may affect all third party Facebook applications,” it says. “To ensure this doesn’t happen again, we’ve agreed with Facebook to remove the feature on Sendible that allows fans of Facebook pages to update multiple pages at once.”
Facebook claims that there was a bug on its platform AND a flaw in Sendible’s API:
We’ve looked into this more. We began removing the posts immediately upon discovering them and shortly after they were made. They were caused by a temporary bug on Facebook that allowed certain posts requested by an application to be rendered when they shouldn’t have. There was a flaw in Sendible’s API call that caused Sendible to incorrectly request that posts users had intended to make on the Walls of Pages they liked be rendered on behalf of those Pages themselves. This bug caused those requests to go through. Upon discovering the bug, we immediately began work to fix it. It’s now been resolved, and these posts can no longer be made. Sendible has also fixed the flaw on its end. We’re not aware of any cases in which the bug was used maliciously.