A currently unpatched XSS vulnerability in the mobile API version of Facebook is currently being exploited to post messages to users’ Walls, which serve as a gateway to the specially crafted website exploiting the flaw.
The flaw has been misused for a while now, but has only recently been used widely. Indonesian users are currently targeted by various groups using the vulnerability to their advantage.
No user interaction is needed, so the messages are spreading through Facebook at a fast pace. Facebook’s security team has been notified about the vulnerability and is working on a fix. Hopefully it will be issued soon, since the attack seems easy to recreate.
Symantec advises users to log out of Facebook when they are not actively using it or to use script-blocking add-ons to prevent the attack.