There are many unpatched loopholes or flaws in Facebook website, that allow hackers to inject external links or images to a wall, hijacking any facebook account or bypassing your social privacy. In 2012 Facebook’s method of publishing called stream.publish and the Stream Publish Dialog looks like the following:https://www.facebook.com/dialog/feed?app_id=127995567256931&link=https://nmap.org/dist/nmap-6.20B-setup.exe. With this parameter, we will include our malicious external link (virus exe file, 0days, Phishing site, or any other malicious link)
Source: https://thehackernews.com/2013/05/facebook-hacking-technique-to-spoof.html