We've received several rapid-fire tips indicating a major compromise in the Facebook app Sendible.
Several prominent Facebook Pages, including Google, Coca-Cola, YouTube, South Park, The Daily Show, and Team Coco, are sending out a malicious link to their followers. The link reads, "Change Your Facebook Background Here!" It's crucial not to click on this link.
Those who clicked on the link reported being redirected to a page outside Facebook that asked for personal information. The bottom of this page reads, "Powered By AWeber Email Marketing." Oddly, many other Facebook users are "liking" these links.
We've contacted Facebook about the issue and will update once we receive their response. The compromised accounts suggest that this malicious link is appearing in tens of millions of feeds right now.
Most of the malicious links have been removed, but tips indicate the attack is ongoing, with new links continuing to appear. We still have not heard back from Facebook regarding the incident.
From Mazy Kazerooni:
The Sendible hack affected Lil Wayne's Facebook page (15 million fans). I'm an admin and blocked the app. They tried to post multiple times.
Sendible is now stating that it wasn't their platform that was hacked, but rather a Facebook security exploit. According to Sendible:
"Just to clarify, Sendible was not hacked. One of our users discovered a major flaw in Facebook's security."
Facebook has finally responded in full:
"We've looked into this. We began removing the posts immediately upon discovering them, shortly after they were made. They were caused by a temporary bug on Facebook that allowed certain posts requested by an application to be rendered when they shouldn't have. There was a flaw in Sendible's API call that caused Sendible to incorrectly request that posts users had intended to make on the Walls of Pages they liked be rendered on behalf of those Pages themselves. This bug caused those requests to go through. Upon discovering the bug, we immediately began work to fix it. It's now resolved, and these posts can no longer be made. Sendible has also fixed the flaw on its end. We're not aware of any cases in which the bug was used maliciously."
