I noticed a stream post on facebook yesterday supposedly about a leaked Sex Tape with Miley Cyrus, that I (though very carefully) clicked on. The images looks like a screen cap from a tv channel, its fictitious however, even though there are tv channels called TVN.
The link in the article is as usual a short url to hide where it is actually going, some of the urls that are used include the following, I think that the site uses a random distribution between different sites, even though all are hosted on Google appspot, e.g.
miley-sex-video.appspot.com, miley-vid9.appspot.com, celeb-tv.appspot.com, celeb-hunter.appspot.com
Whatever site you end up at, the resulting page looks suspiciously like Youtube but displays an “age verification” dialogue (even the sad face icon is stolen from Youtube)
This is actually a cunning trick to make the user authorize the application without noticing and revealing the information to the page.
The “click to verify” url goes to facebook.com with a referrer-hiding service (href.li) included probably so that facebook cannot easily determine where the request comes from. (the yellow warning bar displayed above comes from Request Policy addon, this is not displayed in a normal browser)
The resulting page just says success and the page address contains an access token for facebook that the user “has to” pass back to the application. The application then has access to the users stream and posts the image again as mobile upload and tags random friends in the image so that the image and link show up in different users streams that do not even have a friend relation to the compromised user.
The actual image that is supposed to be from the sex tape is shown a brief moment when visiting the page, this should probably look like the video is loading but is blocked due to the age verification, this could be a screen cap from a generic porn movie or even photoshopped, I’m not sure, its however likely not Miley Cyrus
After passing the fake age verification page, the page just displays the twirler symbol as if it has problems loading the video, depending on how desperate you are to actually view the video, you could even try to reload the page and try the authorization once more, posting the worm image once again to a different list of friends.
Sometimes the loading image is displayed waiting for age verification, further adding to the impression that this times out and you could just try again later.
I have tried to analyze the html code of the pages a bit, it looks like the people who wrote this had some rather smart ideas to pull this off, it uses a plethora of free services to host the whole thing (google appspot, dropbox, bit.ly, imgur, whos.amung.us, googleapis, maxmind), they are even distributing between different instances of appspot to cheat the daily limit of cpu time and traffic.
Since Friday, Facebook has apparently noticed this attack and removed the stream posts and is now displaying a warning on the html success page to keep users from disclosing the access token:
I checked the first image with Tineye and it came up with an unmodified version of the image, this is from a blog post about “famous o-faces” from 2010, the original image is probably taken from a video by Miley Cyrus
Two updates (at 10/1/2012):
the same thing has been reported by somebody else yesterday coming to the same conclusions: http://www.breakthesecurity.com/2012/09/miley-cryus-sex-tape-real-or-fake.html
(for the benefit of users finding this article with google): the worm may return as a Selena Gomez/Justin Bieber “Sex Tape” scam, though I haven’t found evidence that it is really running around Facebook