Currently a new and unpatched cross-site scripting (XSS) vulnerability in Facebook is being widely used to automatically post messages to other user’s walls. The vulnerability was used for some time in some smaller cases; however, it is now widely being used for the first time by many different groups—especially in Indonesia, where we are seeing thousands of infected messages being posted by unknowing users.
Unfortunately since the attack is very easy to recreate we have already started seeing a few dozen copy cats starting new attack waves with different messages.
We informed Facebook’s security team and they are working on a fix for this issue.
This attack works if you have enabled the SSL option in Facebook or not. Therefore it might be a good idea to currently log out of Facebook while you are not using it, or use security tools to protect or block you from going to infected sites. For example, the NoScript extension for the Firefox browser is able to detect this XSS worm attack.
UPDATE (March 29, 2011): Facebook has informed us that they have patched this XSS vulnerability. In addition, they are currently working on steps to remediate damage caused by the attack.