Social-networking services provider Sendible says it's uncovered a major flaw in how Facebook works and is cooperating with Facebook to fix the issue.
Sendible said in a blog post late Tuesday night that it noticed the problem when "one of our users sent an update to a few popular Facebook pages, assuming they would appear to come from his profile. Instead, they posted as if they had come from the page itself." Sendible adds, "Usually these posts appear as the Facebook user and not as the Facebook page itself."
When Sendible contacted the user, he replied: "I wanted to post only a few facebook walls as a fan — and for some reason, posted as the page Owner. Weird."
TechCrunch yesterday got wind of the problem after the news site received "about a half dozen tips" about Facebook pages "including Google, Coca-Cola, YouTube, South Park, the Daily Show, Team Coco and others are now sending out a malicious link to all of their following that reads 'Change Your Facebook Background Here!', adding it would be advised not to click on it." TechCrunch said those that clicked on the link were directed "to a page outside of Facebook that asks you for information about you," and reported that the bottom of the page read "Powered by AWeber Email Marketing."
Yesterday, TechCrunch surmised that the Facebook app Sendible -- which has a service that lets fans of Facebook pages update multiple pages at once -- was "compromised in a major way."
However, Sendible refuted that, saying it has actually "helped discover a security flaw in Facebook's API." Sendible said no user accounts were compromised and that it was not hacked.
Sendible then said, "To ensure this doesn't happen again, we've agreed with Facebook to remove the feature on Sendible that allows fans of Facebook pages to update multiple pages at once. Facebook has also agreed to release a patch by the end of the day so that no other Facebook applications will be affected."
Sendible did not respond to further requests for clarification.
A Facebook spokesperson said: "We began removing the posts immediately upon discovering them and shortly after they were made. They were caused by a temporary bug on Facebook that allowed certain posts requested by an application to be rendered when they shouldn't have. Upon discovering the bug, we immediately began work to fix it. It's now been resolved, and these posts can no longer be made. We're not aware of any cases in which the bug was used maliciously."