User:Spellcheck/Nicole Santos Facebook Hack

On the afternoon of May 12th, around 11:30pm (PST) a message started propagating across the walls of Facebook users' accounts. It falsely purported to be from a person named Nicole Santos, linking to her profile. The most prominent version of the virus contained the text "'Fuck you faggot. Go kill yourself. Vote for Nicole Santos. I hate you and the only way to remove all these posts is by disabling this below.'" According to her profile picture, Nicole Santos was running for junior class president. Variants of the message included "Do whatever the fuck you want" instead of "Vote for Nicole Santos," as well as various other customizations, as the code was easy to modify and deploy.

The "Remove this App" link below the message, which was next to the 'Comment' and 'Like' buttons, did not actually remove the app, but instead used inline Javascript to re-post itself to the victim's friends' walls. The virus spread quickly, and "Nicole Santos" was trending on Twitter within minutes. Many users' newsfeeds were shut down, and posts began disappearing on their own, as Facebook apparently started cleaning up the intrusion. All traces of it had disappeared within 30 minutes. Part of the measures taken appear to be that for several users, Facebook simply disabled all news feed posts older than 25 minutes, which was thought to have occurred around 11:45 (PST).

This attack was notable due to its speed and widespread nature - several variants of the virus spread in a matter of minutes, due to the fact that it spread itself to all of a users' friends, and users quickly clicked the poisoned link to remove the content from their profiles, inadvertently spreading the virus farther. Facebook took quick and decisive action to stop the virus, but has not yet publicly commented about it yet.

Technical Details
A copy of the code used in the hack was posted on several online pastebins, such as Pastebin.com. The code used the Facebook API, in combination with the user's session cookie, to post a newsfeed post via the Facebook for iPhone app. This was possible because Facebook allowed inline Javascript in the action links posted to walls. The link injected and then called an external Javascript file, hosted on Dropbox. The external Javascript then used the API to acquire the user's friends list, and make calls to the Facebook API, posing as the Facebook for iPhone Application, to post itself to the friends' walls.