A report on FacebookAdvice says that Facebook may be under attack by an XSS (cross-site scripting) Worm.

Jesse Stay, the author, says that it started when he first got some wall posts, purportedly from his Aunt. The first asked him to try out the new "crush calculator" which "works with your mobile phone and it uses a special scientific way to find the person near you that has a crush on you". If I got that from my Aunt I"d be seriously freaking out. Another wall post he got was pushing ring tones for mobiles, a shady business even when hawked by legit operators.

Jesse wasn"t the only contact of his Aunt"s to receive such stuff. Some research showed him that there are groups on Facebook for people to apologize to their friends for somehow getting the accounts hacked and sending out crush calculator invites. And since he got the posts from his Aunt he has received a lot of Skype spam, indicating that his identities are known to the attacker.

He posits several explanations, the last and best of which is that an XSS worm is taking root in Facebook, as they have previously in Orkut and MySpace.

Worm Blog master Jose Nazario points out that the perpetrator in this incident, Secret Crush, has been implicated in many other spyware campaigns, and he speculates that crush calculator could be an XSS worm to push installs of it.