If you're using one of those dodgy social media services that promises you more likes and comments and a thin veneer of internet popularity, you might be trading away more than you think. A security company has found thousands of otherwise legitimate Facebook accounts — ones that signed up for a boost in their own online presence — leaving spam comments promoting the service on popular Facebook pages.
Security company Proofpoint saw the exploit occur on the Facebook pages of one of its customers, a "major media company", where it ran unchecked for about eight hours before Facebook shut it down. Tens of thousands of comments from the botnet — sent with the permissions of an outdated version of the HTC Sense app preinstalled on many of the phone manufacturer's older handsets — made up more than half the messages on the media company's page, with continuous posts all promoting the bot itself as a way to increase users' own likes and comments on their accounts.
To sign up for the service that promised more likes and comments, users were instructed to give the HTC Sense app's security token to a third-party website. The owners of that website were then able to use that access token to control and direct tens of thousands of Facebook accounts as a social-spamming botnet.
From Proofpoint: "This social engineering threat is particularly interesting because it required social media users to give up a developer access token to an app so that criminals could use legitimate user credentials to post malicious content to Facebook pages. The actors behind it provided detailed instructions on how to access the token, and even though there is no vulnerability in the social media platform itself, the company has taken steps to prevent end users from accessing developer API tokens to thwart future attempts."
Proofpoint does stress the point that the issue isn't isolated just to the HTC Sense Facebook app, though, and it's not actually that app itself that is vulnerable. Instead, it's the outdated Facebook Graph API used by that app, and the extensive profile permissions that it offers, which is a problem on devices that aren't kept up to date.
"HTC is essentially an innocent bystander that was chosen because of its app permissions, but this example highlights a broader industry issue. Developers often maintain legacy versions of apps to support older operating systems and hardware, opening the door to the kinds of threat we saw here, even when the apps don’t have a vulnerability to exploit that could give someone elevated access."
The takeaway from this? Keep all your apps updated, and don't grant permissions to apps just because they ask for them. Facebook has a huge list of pointers for developers to follow when building their apps, too.