Facebook worries: I didn’t post that

Facebook worries: I didn’t post that

It is my assumption that most Facebook users don’t look at their own profile often. With your own profile, I mean the timeline that shows up when you click your own name or avatar in the Facebook menu.

profile menu

That’s because we think we know exactly what is posted there, so why bother to look at it? After all, isn’t that supposed to be all the stuff that we posted ourselves?

The feeling of disorientation you get when you find something you are sure you didn’t post will be even worse if you notice that supposed messages have been sent from your Facebook Messenger account that you know you never sent. All in all, there might be some discrepancies between what you did and what actually shows up and that’s what this blog post is all about.

How do posts end up on your timeline that you didn’t post?

There are three main reasons that might be of some concern:

  1. Someone or something else has access to your Facebook account
  2. A Facebook app has the authorization to post on your timeline
  3. An active script or browser extension can post on your behalf

In all these cases, there is no immediate reason to worry as long as you know about it and trust the person, app, script, or extension that has access or authorization.

Authorized apps

We have seen it the past and I bet there are still active apps being spread among Facebook users by pretending to be spectacular videos. You may remember the “Man found inside Shark” and similar sensational posts, which try to trick you into downloading malware or installing a malicious app.

To check whether an app has the ability to post on your timeline, click on Settings:

Facebook settings

On the left-hand side, click on Apps and select any app that doesn’t look familiar or trustworthy. You can see whether they can post on your timeline by looking at their permissions. If they have the authorization to post on your timeline, it will look like this:

post permission

Delete apps you don’t trust or no longer use by clicking on the X that shows up when you hover over an app with your mouse pointer in the Apps menu.

remove app

Scripts posting on your behalf

It is possible there is an active script (or program) that uses your credentials when you have Facebook opened in your browser. The script does not need to log in, but simply makes use of the fact that you already did log in. It doesn’t matter whether you did that actively or whether you relied on a cookie set in an earlier session.

These scripts can be hiding in your browser cache or in the shortcut that you use to open Facebook. You can find localized and browser-specific help on clearing your cache on this Facebook Help page for several browsers. You can circumvent using your shortcuts if you suspect they have been altered by typing facebook.com in your browsers address bar. Once you are sure the shortcuts have been altered, you can find methods on how to clean your browser shortcuts on our forums.

Browser extensions could be responsible for this similar behavior. They can be removed following these procedures:

  • Internet Explorer: Tools (gear icon) > Manage add-ons > Toolbars and Extensions > Select the one(s) you don’t trust one by one and click “Disable”
  • Firefox: Menu (horizontal stripes) > Add-ons > click on “Disable” behind the ones you don’t trust or don’t recall installing.
  • Chrome: Menu (3 dots) > More Tools > Extensions > Uncheck “Enabled” behind the ones you don’t trust or don’t recall installing.
  • Opera: click the Opera icon > Extensions > Extension Manager > click on Disable below the ones you don’t trust or don’t recall installing.

Stolen credentials

I’m posting about this as the last option for a reason as the advice that we will give you here does not only apply to the cases where you know that someone or something you didn’t authorize posted on your behalf. If you have experienced or suspected that something or someone has been posting without your knowledge, or one of the other options (scripts, rogue apps), we recommend that you change your password and enable 2FA, if you haven’t already. Even if you have no idea who might have been responsible, we recommend you lock them out before they abuse their access to your account even further. We also recommend doing this even if you found out which app or other method was used, and even if you successfully removed the culprit, keep in mind that the same app or script might have harvested your login credentials and sent them to the threat actors.

2fa logo

Summary

What to do when you find posts in your name on Facebook which you did not post:
  1. Try to find out if there is a suspicious or unsolicited Facebook app active on your list that has posting authorization.
  2. Clear the cache of the browser that you use to access Facebook and the shortcuts you use to open Facebook.
  3. Change your password and consider enabling 2FA.
 

Other articles that might interest you:

  • Understanding the basics of two-factor authentication
  • Facebook Messenger Spam Spreading Malicious Chrome Extensions
  •  “>

    Pieter Arntz

    ABOUT THE AUTHOR

    Pieter Arntz

    Malware Intelligence Researcher

    Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.