Want CNET to notify you of price drops and the latest stories?

Facebook closes hole that let spammers auto-post to walls, friends

Social-networking site plugs a second hole that allowed spammers to automatically post to people's pages.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills

Facebook has closed a hole that was being used by spammers to automatically post wall messages and direct messages to friends, the company said on Tuesday.

Just clicking on the link to one of the applications that were taking advantage of the bug would allow the auto-posting to happen, Facebook said. The apps, which appeared to be sending people to a survey Web site, were disabled on Monday after being discovered earlier that day, the company said.

"Earlier this week, we discovered a bug that made it possible for an application to bypass our normal CSRF (cross-site request forgery) protections through a complicated series of steps. We quickly worked to resolve the issue and fixed it within hours of discovering it," Facebook said in a statement. "For a short period of time before it was fixed, several applications that violated our policies were able to post content to people's profiles if those people first clicked on a link to the application."

Facebook users should be wary of suspicious-looking links, even if they come from friends.

AllFacebook called it "one of the fastest spreading scams we've seen on Facebook to date, and also one of the largest security glitches in the Facebook platform."

The scam comes just days after Facebook fixed a similar bug in its photo-uploading process that allowed a spammer to post photos to people's profiles that had not been approved.