Are you using facebook-login in any ANDROID / IOS / Windows / Blackberry or on any website like Quora, Foursquare, Candy Crush Saga, Criminal Case or in any application or website ?
Beware....any application can post any message or image or video on your friend's timeline or on your timeline without asking you.
Through a script i have written, any application can post any text, image or video on user's and his friend's timeline without taking any permissions or acknowledging user.
Bug :- The bug I reported to Facebook is related to User's privacy.It is related to breach of authentication bridge by posting on User's & his friends wall without taking any Publish Permissions.
Description :- According to Facebook documentation, an application can not post to User's wall & his friends' wall without taking any Publish Permission.
Vulnerability: Using the script i have written, after logging in from Facebook credentials and having acquired only BASIC_PERMISSIONS, script can post any text or share any link on User's and his friends wall, WITHOUT informing user , through a background process.
Read more at : http://yourstory.com/2014/04/vivek-bansal-techie-tuesdays/