Facebook patches automatic wall posting XSS worm

SOCIAL NOTWORKING privacy shredder Facebook has patched a cross-site scripting (XSS) exploit that sneakily made mobile phone users visiting infected websites post automated messages on their 'walls'.

Insecurity firm Symantec said that thousands of messages were posted by unknowing users on their own and their friends' Facebook walls. It spread very fast as some of the links posted led people to infected websites. It was also very easy to recreate, meaning that many bad guys created copycat attacks.

The worm exploited a vulnerability in the mobile API version of Facebook, which was caused by insufficient Javascript filtering. It snared users who visited any website that had a booby-trapped iframe element containing Javascript.

Symantec security expert Candid Wueest said, "Any user who is logged into Facebook and visits a site that contains such an element will automatically post an arbitrary message to his or her wall."

"There is no other user interaction required, and there are no tricks involved, like clickjacking. Just visiting an infected website is enough to post a message that the attacker has chosen."

XSS attacks on Facebook users are nothing new, but what was relatively unique about this one was that it targeted smartphones and only required a quick touch of a finger to get caught up by it.

More annoying than truly damaging, it showed the increasing care that mobile users have to take if they want to browse websites on their smartphones. µ