The other day, I had Chrome’s developer console open on Facebook when I noticed the following message, which was being outputted (and styled) into the console.
Stop! This is a browser feature intended for developers. If someone told you to copy-paste something here to enable a Facebook feature or “hack” someone’s account, it is a scam and will give them access to your Facebook account.
Here is a screenshot of the message:
As you can see, the message also displays a link, which leads to an informational page about the dangers of XSS (Cross-site Scripting). It seems as though Facebook are having security issues with ignorant users that are following instructions that will give the “instructor” access to their account. Funnily-enough, Facebook are calling this “Self-XSS”, simply because these stupid misinformed users are actually inflicting an XSS attack on themselves. My guess is that the attacker is providing these users with JavaScript code that will carry out an action under the name of the user. i.e. Spamming the walls of friends and sending out private messages. Over the past couple of weeks, I’ve noticed a slight increase in wall spam (with links to malware sites, of course), so maybe it is related to that.
Note: If you have no idea what XSS is, then you should NEVER copy and paste anything into the developer console. Don’t play with things that you have no knowledge about.