Facebook has confirmed that the recent issue with posts was on their end. A representative told SecurityWeek via email, "We began removing the posts immediately upon discovering them and shortly after they were made. They were caused by a temporary bug on Facebook that allowed certain posts requested by an application to be rendered when they shouldn't have. Upon discovering the bug, we immediately began work to fix it. It's now been resolved, and these posts can no longer be made. We're not aware of any cases in which the bug was used maliciously."
A representative from Sendible stated that they had discussed the issue with Facebook over the phone. Facebook acknowledged the problem but could not reproduce it on their end. "They've agreed to patch the issue by the end of the day. In the meantime, we've agreed to remove the feature on Sendible that allows fans of Facebook pages to automate posts."
Several Facebook Pages, including those of large brands, sent a link to their followers that read, "Change Your Facebook Background Here!" The link directed to "tinyurl.com/facetheme321," which led to a form hosted by popular email marketing service provider AWeber. At the time, the form could not load, possibly due to capacity issues.
An earlier report from TechCrunch suggested that Sendible, a tool many companies use to manage social media initiatives, including Facebook fan pages, may have been hacked. However, Sendible representatives claim their platform has not been hacked.
We contacted Sendible for comment, and they provided the following information about the incident:
- Sendible allows users to add Facebook Pages they are fans of or administer.
- Users can post to these pages via Facebook’s API using Sendible.
- Usually, these posts appear as the Facebook user and not as the Facebook page itself.
- In this case, one of our users sent an update to a few popular Facebook pages, assuming it would appear from his username.
- Instead, the posts appeared from the page itself.
- This is a major flaw in Facebook’s API.
Sendible contacted the user to determine if the action was intentional. The user responded, “I wanted to post only on a few Facebook walls as a fan, and for some reason, it posted as the page owner. Weird." Sendible also posted an update on Twitter, saying, "This appears to be a bug in Facebook's API as the posts should have been displayed as the user profile and not the page owner."
At this point, it's unclear whether the issue lies with Sendible or Facebook's API. Sendible maintains that it is not their fault. We are waiting to hear back from Facebook.
Facebook has responded with little information, stating they are in touch with Sendible and will provide more details when available. Facebook also confirmed they began removing the posts immediately after discovering them.