Just clicking on the link to one of the applications that were taking advantage of the bug would allow the auto-posting to happen, Facebook said. The apps, which appeared to be sending people to a survey Web site, were disabled on Monday, the company said.
"Earlier this week, we discovered a bug that made it possible for an application to bypass our normal CSRF (cross-site request forgery) protections through a complicated series of steps. We quickly worked to resolve the issue and fixed it within hours of discovering it," Facebook said in a statement. "For a short period of time before it was fixed, several applications that violated our policies were able to post content to people's profiles if those people first clicked on a link to the application."
Facebook users should be wary of suspicious-looking links, even if they come from friends.
Hacker Club 4U called it "one of the fastest spreading scams we've seen on Facebook to date, and also one of the largest security glitches in the Facebook platform."
The scam comes just days after Facebook fixed a similar bug in its photo-uploading process that allowed a spammer to post photos to people's profiles that had not been approved.