A Facebook cross-site scripting (XSS) vulnerability was used to launch a self-propagating spam worm on the social network, according to security researchers from Symantec.
The XSS vulnerability was located in the Facebook mobile API and was caused by insufficient JavaScript validation.
In order to exploit it, attackers created a Web page containing a specially crafted iframe element that forced all logged in Facebook users visiting it to post rogue messages on their walls.
By crafting the spammed message to lure users into visiting the malicious site, the hackers were able to create a self-propagating worm.
