We’ve just received about a half dozen rapid fire tips all showing the same thing: the Facebook app Sendible compromised in a major way.
It appears that several of the largest Facebook Pages including Google, Coca-Cola, YouTube, South Park, The Daily Show, Team Coco and others are now sending out a malicious link to all of their followers that reads “Change Your Facebook Background Here!” Obviously, don’t click on it.
A few people who did click on the link reported that it took you to a page outside of Facebook that asks you for some information about you. The bottom of the page reads “Powered By AWeber Email Marketing”.
The weirdest part is just how many other Facebook users are “liking” these links.
We’ve contacted Facebook about the issue and will update when we hear back from them. But these accounts compromised seem to suggest that this link is showing up in tens of millions of feeds right now.
Update: And it looks like most of the malicious links have now been taken down. But more tips are coming in that the attack is ongoing and other links keep popping up. Still no word yet from Facebook on the incident.
Update 2: From Mazy Kazerooni:
The Sendible hack hit Lil Wayne’s Facebook page (15 MM fans). I’m an admin, blocked the app. They tried to post multiple times
Update 3: And now Sendible is saying it wasn’t them that was hacked, instead this may be a Facebook security exploit:
Just to clarify, Sendible was not hacked. One of our users has discovered a major flaw in Facebook’s security.
Update 11/10: Facebook has finally responded in full:
We’ve looked into this more. We began removing the posts immediately upon discovering them and shortly after they were made. They were caused by a temporary bug on Facebook that allowed certain posts requested by an application to be rendered when they shouldn’t have. There was a flaw in Sendible’s API call that caused Sendible to incorrectly request that posts users had intended to make on the Walls of Pages they liked be rendered on behalf of those Pages themselves. This bug caused those requests to go through. Upon discovering the bug, we immediately began work to fix it. It’s now been resolved, and these posts can no longer be made. Sendible has also fixed the flaw on its end. We’re not aware of any cases in which the bug was used maliciously.
[image via moyajaya]