wpostServer: http://css.washingtonpost.com/wpost2

Most Read: Business

S&P 500
 Last Update: 11:22 AM 07/25/2014

World Markets from      


Other Market Data from      


Key Rates from      

Faster Forward
Posted at 06:44 PM ET, 03/29/2011

Symantec warns about Facebook auto-posting attack

In a blog post Tuesday afternoon, Symantec identified a weakness in Facebook’s API that groups are using to auto-post messages to Facebook users’ walls.

According to the blog post, a weak point in the social network’s mobile API exposes users to the worm. Anyone who is logged into Facebook who goes to an infected site can pick up an element that posts a message to the user’s Facebook profile.

The worm is particularly popular in Indonesia.

“Just visiting an infected website is enough to post a message that the attacker has chosen,” Symantec’s Candid Wueest wrote. “Therefore it should be of no surprise that some of those messages are spreading very fast through Facebook. Some are posting links to infected websites, creating XSS worms that spread from user to user.”

Symantec has informed Facebook of the issue and said that the attack will work whether or not users have enabled SSL. The security company suggests that Facebook users log out of the site when it’s not in use or use security tools to block users from going to infected sites.

(Post Co. Chairman and Chief Executive Donald E. Graham sits on Facebook’s board of directors, and the newspaper and many Post staffers use Facebook for marketing purposes.)

A survey released today by BitDefender, a maker of virus protection software, found that 87 percent of users recognize fishy posts (like the ones produced by this latest worm) but only 43 percent warn other users about them.

What do you do when you see a suspicious post on your friends’ walls? Do you tell them? Or do you ignore it?

Related stories:

Facebook offering site-wide 'HTTPS' security

Facebook adds one-time passwords, remote logout

By  |  06:44 PM ET, 03/29/2011

Read what others are saying

    © 2011 The Washington Post Company