Facebook blames bug for Zuckerberg page hack

Odd message appears as status update on Facebook CEO's fan page suggesting the social network turn to users instead of banks for funding.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

A bug allowed an unidentified person to post a message on Facebook CEO Mark Zuckerberg's fan page on the site yesterday, a spokesman told CNET today.

Facebook CEO Mark Zuckerberg's page had a strange message for a while on Tuesday before it was removed.
Facebook CEO Mark Zuckerberg's fan page had a strange message for a while yesterday before it was removed. Screenshot by Sophos

The odd message that garnered more than 1,800 "likes" and more than 400 comments before it was taken down was: "Let the hacking begin: If facebook needs money, instead of going to the banks, why doesn't Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a 'social business' the way Nobel Prize winner Muhammad Yunus described it? http://bit.ly/fs6rT3 What do you think? #hackercup2011"

A Facebook spokesman provided this e-mail statement today: "A bug enabled status postings by unauthorized people on a handful of public pages. The bug has been fixed."

Whoever is responsible only had the ability to post on the page and did not have access to private data on the Facebook account, Joe Sullivan, chief security officer at Facebook, said in a follow up interview with CNET this morning. "It was a very limited bug in that it only applied to the ability to post," he said.

Specifically, the bug was in an API (application programming interface) that allows publishing functionality on the site, said Ryan McGeehan, security manager for incident response at Facebook.

Only a handful of high-profile accounts were affected, they said, declining to offer exactly whose pages were targeted. They also declined to comment on whether the hack earlier this week of French President Nicolas Sarkozy's Facebook page was related. Someone had posted a message on the official's page saying he would be stepping down next year.

Asked if they knew who was responsible for the breaches, Sullivan said he could not comment further because it is an active investigation.

"It's astonishing the level of speculation without accurate information" in published reports, he said. "There was the (false) assumption that there was unauthorized access to information...Our commitment is to try and prevent that and respond incredibly quickly when something happens."

"Facebook users--famous or not--need to take better care of their social-networking security," said Graham Clulely, senior technology consultant at Sophos, in a statement. "Mark Zuckerberg might be wanting to take a close look at his privacy and security settings after this embarrassing breach. It's not clear if he was careless with his password, was phished, or sat down in a Starbucks and got sidejacked while using an unencrypted wireless network, but however it happened, it's left egg on his face just when Facebook wants to reassure users that it takes security and privacy seriously."

Sophos has more about the incident here.

The odd message posted to Zuckerberg's fan page relates to Facebook's announcement last week that it had raised $1.5 billion at a $50 billion valuation; $1 billion of it comes from investment bank Goldman Sachs, which opened up the round to participation from wealthy overseas clients.

Also today, Facebook announced that it is now offering users the ability to secure their connection with the site using HTTPS (Hypertext Transfer Protocol Secure). It is rolling the option out to users and hopes to offer it as a default in the future. Enabling full-session HTTPS will eliminate the ability for attackers to compromise Facebook accounts by using tools like the Firefox plug-in called Firesheep.

Updated 10:50 a.m. PT with comment from Facebook's chief security officer and security manger for incident response, and with information on Facebook offering an HTTPS option to users.

CNET's Caroline McCarthy contributed to this report.

(Original post via TechCrunch.)