A clever spammer found a glitch in Facebook's photo upload system and used it to post thousands of unwanted Wall messages last week.
Facebook confirmed the bug on Friday, after notifying affected users of the issue.
Andrew Jones was one of the victims. He thought that his Facebook account had been hijacked after a friend pointed out a spam message on his wall. He quickly changed his password, but worried that some of his other email accounts might have been taken over too. "No other signs of compromise were visible, and I concluded the most likely scenario was a public computer I had used recently had some type of malware on it," he said.
It turns out that the problem was all Facebook's.
"Earlier this week, we discovered a bug in the code that processes photos as they're uploaded. This bug caused us not to make the correct checks when determining whether a photo should be posted to a person's profile," Facebook said on Friday. "We quickly worked to resolve the issue and fixed it shortly after discovering it. For a short period of time before it was fixed, a single spammer was able to post photos to people's profiles that they hadn't approved."
Most of the messages promised "Free iPhones", a common spam message on Facebook these days. The free iPhone and iPad messages generally take users to websites where they are instructed to fill out marketing surveys or sign up for product subscriptions. Victims have reported having their phone numbers inundated with calls after filling out these surveys.
Facebook says that the spammer hit thousands of profiles before the company removed the spammy photos and notified affected users. No accounts were compromised as a result of the bug, Facebook said.
People whose Walls were hit with the spam got a notice from Facebook's security team, reading:
"For a few hours on Sunday, there was a spamming incident on Facebook. During this time, photos - mostly of supposedly 'free' iPhones - were posted to some people's Walls, including yours. We've removed the photo from your Wall and fixed the issue that allowed spammers to do this. We're sorry about the photo, but can assure you that this did not affect the security of your account in any way."
Spammers love Facebook because users are more likely to click on Facebook messages and wall posts than on links in unsolicited email messages.
This week, Facebook introduced new controls that allow users to see if unauthorised computers have been used to log into their accounts.
But spammers will keep trying to use Facebook, according to Chris Boyd, a senior researcher with security vendor GFI Software.
The spam images used by this "Free iPod" spammer can be highly effective, he said. "Image spam is a great way for scammers to promote fake applications and surveys," he said via instant message. "An individual likely to fall for something like this will probably be more attracted by a nice picture than a random spam-link."