Facebook was hit by a worm that rapidly replicated itself across users' accounts, at the same time as a development bug in the system scared users into thinking that they had been infected by malware. The real worm showed up as a status update from an infected contact, with the message "My ex-girlfriend cheated on me...Here is my revenge!" The developer used CSS to trigger the 'share' event automatically when the message is clicked, according to Facebook blog allfacebook.com. Anyone clicking on the message had it automatically copied to their own status update.
Users are advised to change their usernames and passwords, if they were unfortunate enough to have clicked on the link.
"This is an example of clickjacking, where a website contains embedded code that causes an action to be taken through the browser without the user’s knowledge or permission", Facebook told Infosecurity. This problem isn’t specific to Facebook, but we’re always working to improve our systems and are building additional protections against this type of behavior."
"We’ve blocked the URL associated with this site, and we’re cleaning up the relatively few cases where it was posted (something email providers, for example, can’t do)", Facebook added. "Overall, an extremely small percentage of users were affected."
The worm appeared shortly after a confusing 'rogue application' emerged, worrying Facebook users. The application, which has no name, appeared to add itself to peoples' accounts without their consent, according to reports from worried Facebook users.
"I have an application called the Unnamed App that has been added to my profile without my consent," posted one user. "Is this something that Facebook added automatically? I saw on a friends status update that it could be spyware...is this true?"
"This was a bug, which we have now fixed," said Facebook on its security page. "It did not damage any accounts. Be wary of any sites that claim to be able to fix this, as they might contain malicious software."
The bug in the Facebook user interface made a normally hidden system tab visible in the browser. The system tab holds Boxes from applications that Facebook users don't want to appear on their regular profile page.
Online criminals were quick to create malicious pages designed to poison search engine results delivered to users trying to find information on the subject.
In yet another problem for Facebook, reports emerged of a new and more serious privacy bug in the new Facebook Application Dashboard, which the company will roll out to its user base in the next few weeks. It was possible for users to view the latest applications that their friends have been using, said reports. The application and games dashboards have been made available in beta form for Facebook developers to test their applications, prior to a wider launch.