

How to cause utter chaos on Facebook - thomasdavis
https://gist.github.com/968060

======
program
It all began when a user pasted the value of the _jsText_ variable in the
address bar. The script create a new _script_ DOM element and append it to
_head_ injecting the malicious links (so that there is no more need to run the
bookmarklet-like link.)

The problem here is that the (old) Facebook prompt_page.php page:

<http://www.facebook.com/connect/prompt_feed.php>

doesn't sanitize feed_info[action_links][0][href] allowing _javascript:_
links.

------
kooshball
Can someone post an image of what the "Remove this app" picture actually looks
like? does it show as part of the newsfeed?

~~~
oomkiller
<http://i.imgur.com/wljHt.png> Seems to be a decent example.

------
wilshire461
It seems as though she is more the victim of some asshole that may or may not
know her, that is now trying to extract some revenge by making her life a
miserable hell while this mess gets sorted out.

------
rottyguy
seems like a better way to cause a dns attack on the file hosters machine no?
better title: dns attack from facebook.

------
thomasdavis
Makes a vulgar post on a users wall, if the user clicks "Remove this app" it
then post it to all your friends walls.

Reddits reaction thus far
<http://www.reddit.com/r/reddit.com/search?q=nicole+santos>

Edit: I think facebook has already taken it down, it lasted about 30 minutes.

~~~
guywithabike
It was Dropbox that took down the file, though I bet it was taken down by some
sort of automatic hotlinking protection system.

~~~
thomasdavis
The Dropbox link went down quite fast, it was mirrored by another site nearly
instantly and the hack remained in working condition. Then I'm guessing
Facebook took down the App and deleted all the comments that were spread.

------
bhickey
Great, you found a script injection. However, I think you misunderstand
"Hacker News"

~~~
thomasdavis
Wasn't me and I don't understand this comment.

